diff --git a/internal/constants.go b/internal/constants.go index 71a134a72a9..8fc123235f3 100644 --- a/internal/constants.go +++ b/internal/constants.go @@ -6,5 +6,5 @@ const ( // JSONSchemaVersion is the current schema version output by the JSON encoder // This is roughly following the "SchemaVer" guidelines for versioning the JSON schema. Please see schema/json/README.md for details on how to increment. - JSONSchemaVersion = "4.0.0" + JSONSchemaVersion = "5.0.0" ) diff --git a/schema/json/schema-5.0.0.json b/schema/json/schema-5.0.0.json new file mode 100644 index 00000000000..e85e04fc9e4 --- /dev/null +++ b/schema/json/schema-5.0.0.json @@ -0,0 +1,1577 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "$ref": "#/definitions/Document", + "definitions": { + "AlpmFileRecord": { + "properties": { + "path": { + "type": "string" + }, + "type": { + "type": "string" + }, + "uid": { + "type": "string" + }, + "gid": { + "type": "string" + }, + "time": { + "type": "string", + "format": "date-time" + }, + "size": { + "type": "string" + }, + "link": { + "type": "string" + }, + "digest": { + "items": { + "$ref": "#/definitions/Digest" + }, + "type": "array" + } + }, + "additionalProperties": true, + "type": "object" + }, + "AlpmMetadata": { + "required": [ + "basepackage", + "package", + "version", + "description", + "architecture", + "size", + "packager", + "license", + "url", + "validation", + "reason", + "files", + "backup" + ], + "properties": { + "basepackage": { + "type": "string" + }, + "package": { + "type": "string" + }, + "version": { + "type": "string" + }, + "description": { + "type": "string" + }, + "architecture": { + "type": "string" + }, + "size": { + "type": "integer" + }, + "packager": { + "type": "string" + }, + "license": { + "type": "string" + }, + "url": { + "type": "string" + }, + "validation": { + "type": "string" + }, + "reason": { + "type": "integer" + }, + "files": { + "items": { + "$schema": "http://json-schema.org/draft-04/schema#", + "$ref": "#/definitions/AlpmFileRecord" + }, + "type": "array" + }, + "backup": { + "items": { + "$ref": "#/definitions/AlpmFileRecord" + }, + "type": "array" + } + }, + "additionalProperties": true, + "type": "object" + }, + "ApkFileRecord": { + "required": [ + "path" + ], + "properties": { + "path": { + "type": "string" + }, + "ownerUid": { + "type": "string" + }, + "ownerGid": { + "type": "string" + }, + "permissions": { + "type": "string" + }, + "digest": { + "$schema": "http://json-schema.org/draft-04/schema#", + "$ref": "#/definitions/Digest" + } + }, + "additionalProperties": true, + "type": "object" + }, + "ApkMetadata": { + "required": [ + "package", + "originPackage", + "maintainer", + "version", + "license", + "architecture", + "url", + "description", + "size", + "installedSize", + "pullDependencies", + "pullChecksum", + "gitCommitOfApkPort", + "files" + ], + "properties": { + "package": { + "type": "string" + }, + "originPackage": { + "type": "string" + }, + "maintainer": { + "type": "string" + }, + "version": { + "type": "string" + }, + "license": { + "type": "string" + }, + "architecture": { + "type": "string" + }, + "url": { + "type": "string" + }, + "description": { + "type": "string" + }, + "size": { + "type": "integer" + }, + "installedSize": { + "type": "integer" + }, + "pullDependencies": { + "type": "string" + }, + "pullChecksum": { + "type": "string" + }, + "gitCommitOfApkPort": { + "type": "string" + }, + "files": { + "items": { + "$schema": "http://json-schema.org/draft-04/schema#", + "$ref": "#/definitions/ApkFileRecord" + }, + "type": "array" + } + }, + "additionalProperties": true, + "type": "object" + }, + "CargoPackageMetadata": { + "required": [ + "name", + "version", + "source", + "checksum", + "dependencies" + ], + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "source": { + "type": "string" + }, + "checksum": { + "type": "string" + }, + "dependencies": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "additionalProperties": true, + "type": "object" + }, + "Classification": { + "required": [ + "class", + "metadata" + ], + "properties": { + "class": { + "type": "string" + }, + "metadata": { + "patternProperties": { + ".*": { + "type": "string" + } + }, + "type": "object" + } + }, + "additionalProperties": true, + "type": "object" + }, + "ConanLockMetadata": { + "required": [ + "ref" + ], + "properties": { + "ref": { + "type": "string" + }, + "package_id": { + "type": "string" + }, + "prev": { + "type": "string" + }, + "requires": { + "type": "string" + }, + "build_requires": { + "type": "string" + }, + "py_requires": { + "type": "string" + }, + "options": { + "patternProperties": { + ".*": { + "type": "string" + } + }, + "type": "object" + }, + "path": { + "type": "string" + }, + "context": { + "type": "string" + } + }, + "additionalProperties": true, + "type": "object" + }, + "ConanMetadata": { + "required": [ + "ref" + ], + "properties": { + "ref": { + "type": "string" + } + }, + "additionalProperties": true, + "type": "object" + }, + "Coordinates": { + "required": [ + "path" + ], + "properties": { + "path": { + "type": "string" + }, + "layerID": { + "type": "string" + } + }, + "additionalProperties": true, + "type": "object" + }, + "DartPubMetadata": { + "required": [ + "name", + "version" + ], + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "hosted_url": { + "type": "string" + }, + "vcs_url": { + "type": "string" + } + }, + "additionalProperties": true, + "type": "object" + }, + "Descriptor": { + "required": [ + "name", + "version" + ], + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "configuration": { + "additionalProperties": true + } + }, + "additionalProperties": true, + "type": "object" + }, + "Digest": { + "required": [ + "algorithm", + "value" + ], + "properties": { + "algorithm": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "additionalProperties": true, + "type": "object" + }, + "Document": { + "required": [ + "artifacts", + "artifactRelationships", + "source", + "distro", + "descriptor", + "schema" + ], + "properties": { + "artifacts": { + "items": { + "$schema": "http://json-schema.org/draft-04/schema#", + "$ref": "#/definitions/Package" + }, + "type": "array" + }, + "artifactRelationships": { + "items": { + "$schema": "http://json-schema.org/draft-04/schema#", + "$ref": "#/definitions/Relationship" + }, + "type": "array" + }, + "files": { + "items": { + "$schema": "http://json-schema.org/draft-04/schema#", + "$ref": "#/definitions/File" + }, + "type": "array" + }, + "secrets": { + "items": { + "$schema": "http://json-schema.org/draft-04/schema#", + "$ref": "#/definitions/Secrets" + }, + "type": "array" + }, + "source": { + "$schema": "http://json-schema.org/draft-04/schema#", + "$ref": "#/definitions/Source" + }, + "distro": { + "$schema": "http://json-schema.org/draft-04/schema#", + "$ref": "#/definitions/LinuxRelease" + }, + "descriptor": { + "$schema": "http://json-schema.org/draft-04/schema#", + "$ref": "#/definitions/Descriptor" + }, + "schema": { + "$schema": "http://json-schema.org/draft-04/schema#", + "$ref": "#/definitions/Schema" + } + }, + "additionalProperties": true, + "type": "object" + }, + "DotnetDepsMetadata": { + "required": [ + "name", + "version", + "path", + "sha512", + "hashPath" + ], + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "path": { + "type": "string" + }, + "sha512": { + "type": "string" + }, + "hashPath": { + "type": "string" + } + }, + "additionalProperties": true, + "type": "object" + }, + "DpkgFileRecord": { + "required": [ + "path", + "isConfigFile" + ], + "properties": { + "path": { + "type": "string" + }, + "digest": { + "$ref": "#/definitions/Digest" + }, + "isConfigFile": { + "type": "boolean" + } + }, + "additionalProperties": true, + "type": "object" + }, + "DpkgMetadata": { + "required": [ + "package", + "source", + "version", + "sourceVersion", + "architecture", + "maintainer", + "installedSize", + "files" + ], + "properties": { + "package": { + "type": "string" + }, + "source": { + "type": "string" + }, + "version": { + "type": "string" + }, + "sourceVersion": { + "type": "string" + }, + "architecture": { + "type": "string" + }, + "maintainer": { + "type": "string" + }, + "installedSize": { + "type": "integer" + }, + "files": { + "items": { + "$schema": "http://json-schema.org/draft-04/schema#", + "$ref": "#/definitions/DpkgFileRecord" + }, + "type": "array" + } + }, + "additionalProperties": true, + "type": "object" + }, + "File": { + "required": [ + "id", + "location" + ], + "properties": { + "id": { + "type": "string" + }, + "location": { + "$ref": "#/definitions/Coordinates" + }, + "metadata": { + "$schema": "http://json-schema.org/draft-04/schema#", + "$ref": "#/definitions/FileMetadataEntry" + }, + "contents": { + "type": "string" + }, + "digests": { + "items": { + "$schema": "http://json-schema.org/draft-04/schema#", + "$ref": "#/definitions/Digest" + }, + "type": "array" + }, + "classifications": { + "items": { + "$schema": "http://json-schema.org/draft-04/schema#", + "$ref": "#/definitions/Classification" + }, + "type": "array" + } + }, + "additionalProperties": true, + "type": "object" + }, + "FileMetadataEntry": { + "required": [ + "mode", + "type", + "userID", + "groupID", + "mimeType" + ], + "properties": { + "mode": { + "type": "integer" + }, + "type": { + "type": "string" + }, + "linkDestination": { + "type": "string" + }, + "userID": { + "type": "integer" + }, + "groupID": { + "type": "integer" + }, + "mimeType": { + "type": "string" + } + }, + "additionalProperties": true, + "type": "object" + }, + "GemMetadata": { + "required": [ + "name", + "version" + ], + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "files": { + "items": { + "type": "string" + }, + "type": "array" + }, + "authors": { + "items": { + "type": "string" + }, + "type": "array" + }, + "licenses": { + "items": { + "type": "string" + }, + "type": "array" + }, + "homepage": { + "type": "string" + } + }, + "additionalProperties": true, + "type": "object" + }, + "GolangBinMetadata": { + "required": [ + "goCompiledVersion", + "architecture" + ], + "properties": { + "goBuildSettings": { + "patternProperties": { + ".*": { + "type": "string" + } + }, + "type": "object" + }, + "goCompiledVersion": { + "type": "string" + }, + "architecture": { + "type": "string" + }, + "h1Digest": { + "type": "string" + }, + "mainModule": { + "type": "string" + } + }, + "additionalProperties": true, + "type": "object" + }, + "HackageMetadata": { + "required": [ + "name", + "version" + ], + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "pkgHash": { + "type": "string" + }, + "snapshotURL": { + "type": "string" + } + }, + "additionalProperties": true, + "type": "object" + }, + "JavaManifest": { + "properties": { + "main": { + "patternProperties": { + ".*": { + "type": "string" + } + }, + "type": "object" + }, + "namedSections": { + "patternProperties": { + ".*": { + "patternProperties": { + ".*": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "additionalProperties": true, + "type": "object" + }, + "JavaMetadata": { + "required": [ + "virtualPath" + ], + "properties": { + "virtualPath": { + "items": { + "type": "string" + }, + "type": "array" + }, + "manifest": { + "$schema": "http://json-schema.org/draft-04/schema#", + "$ref": "#/definitions/JavaManifest" + }, + "pomProperties": { + "$schema": "http://json-schema.org/draft-04/schema#", + "$ref": "#/definitions/PomProperties" + }, + "pomProject": { + "$schema": "http://json-schema.org/draft-04/schema#", + "$ref": "#/definitions/PomProject" + }, + "digest": { + "items": { + "$ref": "#/definitions/Digest" + }, + "type": "array" + } + }, + "additionalProperties": true, + "type": "object" + }, + "KbPackageMetadata": { + "required": [ + "product_id", + "kb" + ], + "properties": { + "product_id": { + "type": "string" + }, + "kb": { + "type": "string" + } + }, + "additionalProperties": true, + "type": "object" + }, + "LinuxRelease": { + "properties": { + "prettyName": { + "type": "string" + }, + "name": { + "type": "string" + }, + "id": { + "type": "string" + }, + "idLike": { + "items": { + "type": "string" + }, + "type": "array" + }, + "version": { + "type": "string" + }, + "versionID": { + "type": "string" + }, + "versionCodename": { + "type": "string" + }, + "buildID": { + "type": "string" + }, + "imageID": { + "type": "string" + }, + "imageVersion": { + "type": "string" + }, + "variant": { + "type": "string" + }, + "variantID": { + "type": "string" + }, + "homeURL": { + "type": "string" + }, + "supportURL": { + "type": "string" + }, + "bugReportURL": { + "type": "string" + }, + "privacyPolicyURL": { + "type": "string" + }, + "cpeName": { + "type": "string" + } + }, + "additionalProperties": true, + "type": "object" + }, + "NpmPackageJSONMetadata": { + "required": [ + "name", + "version", + "author", + "licenses", + "homepage", + "description", + "url", + "private" + ], + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "files": { + "items": { + "type": "string" + }, + "type": "array" + }, + "author": { + "type": "string" + }, + "licenses": { + "items": { + "type": "string" + }, + "type": "array" + }, + "homepage": { + "type": "string" + }, + "description": { + "type": "string" + }, + "url": { + "type": "string" + }, + "private": { + "type": "boolean" + } + }, + "additionalProperties": true, + "type": "object" + }, + "Package": { + "required": [ + "id", + "name", + "version", + "type", + "foundBy", + "locations", + "licenses", + "language", + "cpes", + "purl" + ], + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "type": { + "type": "string" + }, + "foundBy": { + "type": "string" + }, + "locations": { + "items": { + "$schema": "http://json-schema.org/draft-04/schema#", + "$ref": "#/definitions/Coordinates" + }, + "type": "array" + }, + "licenses": { + "items": { + "type": "string" + }, + "type": "array" + }, + "language": { + "type": "string" + }, + "cpes": { + "items": { + "type": "string" + }, + "type": "array" + }, + "purl": { + "type": "string" + }, + "metadataType": { + "type": "string" + }, + "metadata": { + "anyOf": [ + { + "type": "null" + }, + { + "$ref": "#/definitions/AlpmMetadata" + }, + { + "$ref": "#/definitions/ApkMetadata" + }, + { + "$ref": "#/definitions/CargoPackageMetadata" + }, + { + "$ref": "#/definitions/ConanLockMetadata" + }, + { + "$ref": "#/definitions/ConanMetadata" + }, + { + "$ref": "#/definitions/DartPubMetadata" + }, + { + "$ref": "#/definitions/DotnetDepsMetadata" + }, + { + "$ref": "#/definitions/DpkgMetadata" + }, + { + "$ref": "#/definitions/GemMetadata" + }, + { + "$ref": "#/definitions/GolangBinMetadata" + }, + { + "$ref": "#/definitions/HackageMetadata" + }, + { + "$ref": "#/definitions/JavaMetadata" + }, + { + "$ref": "#/definitions/KbPackageMetadata" + }, + { + "$ref": "#/definitions/NpmPackageJSONMetadata" + }, + { + "$ref": "#/definitions/PhpComposerJSONMetadata" + }, + { + "$ref": "#/definitions/PortageMetadata" + }, + { + "$ref": "#/definitions/PythonPackageMetadata" + }, + { + "$ref": "#/definitions/RpmMetadata" + } + ] + } + }, + "additionalProperties": true, + "type": "object" + }, + "PhpComposerAuthors": { + "required": [ + "name" + ], + "properties": { + "name": { + "type": "string" + }, + "email": { + "type": "string" + }, + "homepage": { + "type": "string" + } + }, + "additionalProperties": true, + "type": "object" + }, + "PhpComposerExternalReference": { + "required": [ + "type", + "url", + "reference" + ], + "properties": { + "type": { + "type": "string" + }, + "url": { + "type": "string" + }, + "reference": { + "type": "string" + }, + "shasum": { + "type": "string" + } + }, + "additionalProperties": true, + "type": "object" + }, + "PhpComposerJSONMetadata": { + "required": [ + "name", + "version", + "source", + "dist" + ], + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "source": { + "$schema": "http://json-schema.org/draft-04/schema#", + "$ref": "#/definitions/PhpComposerExternalReference" + }, + "dist": { + "$ref": "#/definitions/PhpComposerExternalReference" + }, + "require": { + "patternProperties": { + ".*": { + "type": "string" + } + }, + "type": "object" + }, + "provide": { + "patternProperties": { + ".*": { + "type": "string" + } + }, + "type": "object" + }, + "require-dev": { + "patternProperties": { + ".*": { + "type": "string" + } + }, + "type": "object" + }, + "suggest": { + "patternProperties": { + ".*": { + "type": "string" + } + }, + "type": "object" + }, + "type": { + "type": "string" + }, + "notification-url": { + "type": "string" + }, + "bin": { + "items": { + "type": "string" + }, + "type": "array" + }, + "license": { + "items": { + "type": "string" + }, + "type": "array" + }, + "authors": { + "items": { + "$schema": "http://json-schema.org/draft-04/schema#", + "$ref": "#/definitions/PhpComposerAuthors" + }, + "type": "array" + }, + "description": { + "type": "string" + }, + "homepage": { + "type": "string" + }, + "keywords": { + "items": { + "type": "string" + }, + "type": "array" + }, + "time": { + "type": "string" + } + }, + "additionalProperties": true, + "type": "object" + }, + "PomParent": { + "required": [ + "groupId", + "artifactId", + "version" + ], + "properties": { + "groupId": { + "type": "string" + }, + "artifactId": { + "type": "string" + }, + "version": { + "type": "string" + } + }, + "additionalProperties": true, + "type": "object" + }, + "PomProject": { + "required": [ + "path", + "groupId", + "artifactId", + "version", + "name" + ], + "properties": { + "path": { + "type": "string" + }, + "parent": { + "$schema": "http://json-schema.org/draft-04/schema#", + "$ref": "#/definitions/PomParent" + }, + "groupId": { + "type": "string" + }, + "artifactId": { + "type": "string" + }, + "version": { + "type": "string" + }, + "name": { + "type": "string" + }, + "description": { + "type": "string" + }, + "url": { + "type": "string" + } + }, + "additionalProperties": true, + "type": "object" + }, + "PomProperties": { + "required": [ + "path", + "name", + "groupId", + "artifactId", + "version", + "extraFields" + ], + "properties": { + "path": { + "type": "string" + }, + "name": { + "type": "string" + }, + "groupId": { + "type": "string" + }, + "artifactId": { + "type": "string" + }, + "version": { + "type": "string" + }, + "extraFields": { + "patternProperties": { + ".*": { + "type": "string" + } + }, + "type": "object" + } + }, + "additionalProperties": true, + "type": "object" + }, + "PortageFileRecord": { + "required": [ + "path" + ], + "properties": { + "path": { + "type": "string" + }, + "digest": { + "$ref": "#/definitions/Digest" + } + }, + "additionalProperties": true, + "type": "object" + }, + "PortageMetadata": { + "required": [ + "package", + "version", + "installedSize", + "files" + ], + "properties": { + "package": { + "type": "string" + }, + "version": { + "type": "string" + }, + "installedSize": { + "type": "integer" + }, + "files": { + "items": { + "$schema": "http://json-schema.org/draft-04/schema#", + "$ref": "#/definitions/PortageFileRecord" + }, + "type": "array" + } + }, + "additionalProperties": true, + "type": "object" + }, + "PythonDirectURLOriginInfo": { + "required": [ + "url" + ], + "properties": { + "url": { + "type": "string" + }, + "commitId": { + "type": "string" + }, + "vcs": { + "type": "string" + } + }, + "additionalProperties": true, + "type": "object" + }, + "PythonFileDigest": { + "required": [ + "algorithm", + "value" + ], + "properties": { + "algorithm": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "additionalProperties": true, + "type": "object" + }, + "PythonFileRecord": { + "required": [ + "path" + ], + "properties": { + "path": { + "type": "string" + }, + "digest": { + "$schema": "http://json-schema.org/draft-04/schema#", + "$ref": "#/definitions/PythonFileDigest" + }, + "size": { + "type": "string" + } + }, + "additionalProperties": true, + "type": "object" + }, + "PythonPackageMetadata": { + "required": [ + "name", + "version", + "license", + "author", + "authorEmail", + "platform", + "sitePackagesRootPath" + ], + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "license": { + "type": "string" + }, + "author": { + "type": "string" + }, + "authorEmail": { + "type": "string" + }, + "platform": { + "type": "string" + }, + "files": { + "items": { + "$schema": "http://json-schema.org/draft-04/schema#", + "$ref": "#/definitions/PythonFileRecord" + }, + "type": "array" + }, + "sitePackagesRootPath": { + "type": "string" + }, + "topLevelPackages": { + "items": { + "type": "string" + }, + "type": "array" + }, + "directUrlOrigin": { + "$schema": "http://json-schema.org/draft-04/schema#", + "$ref": "#/definitions/PythonDirectURLOriginInfo" + } + }, + "additionalProperties": true, + "type": "object" + }, + "Relationship": { + "required": [ + "parent", + "child", + "type" + ], + "properties": { + "parent": { + "type": "string" + }, + "child": { + "type": "string" + }, + "type": { + "type": "string" + }, + "metadata": { + "additionalProperties": true + } + }, + "additionalProperties": true, + "type": "object" + }, + "RpmMetadata": { + "required": [ + "name", + "version", + "epoch", + "architecture", + "release", + "sourceRpm", + "size", + "license", + "vendor", + "modularityLabel", + "files" + ], + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "epoch": { + "oneOf": [ + { + "type": "integer" + }, + { + "type": "null" + } + ] + }, + "architecture": { + "type": "string" + }, + "release": { + "type": "string" + }, + "sourceRpm": { + "type": "string" + }, + "size": { + "type": "integer" + }, + "license": { + "type": "string" + }, + "vendor": { + "type": "string" + }, + "modularityLabel": { + "type": "string" + }, + "files": { + "items": { + "$schema": "http://json-schema.org/draft-04/schema#", + "$ref": "#/definitions/RpmdbFileRecord" + }, + "type": "array" + } + }, + "additionalProperties": true, + "type": "object" + }, + "RpmdbFileRecord": { + "required": [ + "path", + "mode", + "size", + "digest", + "userName", + "groupName", + "flags" + ], + "properties": { + "path": { + "type": "string" + }, + "mode": { + "type": "integer" + }, + "size": { + "type": "integer" + }, + "digest": { + "$ref": "#/definitions/Digest" + }, + "userName": { + "type": "string" + }, + "groupName": { + "type": "string" + }, + "flags": { + "type": "string" + } + }, + "additionalProperties": true, + "type": "object" + }, + "Schema": { + "required": [ + "version", + "url" + ], + "properties": { + "version": { + "type": "string" + }, + "url": { + "type": "string" + } + }, + "additionalProperties": true, + "type": "object" + }, + "SearchResult": { + "required": [ + "classification", + "lineNumber", + "lineOffset", + "seekPosition", + "length" + ], + "properties": { + "classification": { + "type": "string" + }, + "lineNumber": { + "type": "integer" + }, + "lineOffset": { + "type": "integer" + }, + "seekPosition": { + "type": "integer" + }, + "length": { + "type": "integer" + }, + "value": { + "type": "string" + } + }, + "additionalProperties": true, + "type": "object" + }, + "Secrets": { + "required": [ + "location", + "secrets" + ], + "properties": { + "location": { + "$ref": "#/definitions/Coordinates" + }, + "secrets": { + "items": { + "$schema": "http://json-schema.org/draft-04/schema#", + "$ref": "#/definitions/SearchResult" + }, + "type": "array" + } + }, + "additionalProperties": true, + "type": "object" + }, + "Source": { + "required": [ + "type", + "target" + ], + "properties": { + "type": { + "type": "string" + }, + "target": { + "additionalProperties": true + } + }, + "additionalProperties": true, + "type": "object" + } + } +} diff --git a/syft/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden b/syft/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden index 3b23a84e516..3091be43129 100644 --- a/syft/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden +++ b/syft/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden @@ -1,10 +1,10 @@ { "bomFormat": "CycloneDX", "specVersion": "1.4", - "serialNumber": "urn:uuid:3ea3363f-3945-4859-9ba1-9a395983d248", + "serialNumber": "urn:uuid:2169027d-1466-4b04-9b07-34c6ce513539", "version": 1, "metadata": { - "timestamp": "2022-05-23T12:05:00-07:00", + "timestamp": "2022-10-05T21:08:02-04:00", "tools": [ { "vendor": "anchore", @@ -20,7 +20,7 @@ }, "components": [ { - "bom-ref": "b85dbb4e6ece5082", + "bom-ref": "2a90c3effff7fb4f", "type": "library", "name": "package-1", "version": "1.0.1", @@ -57,7 +57,7 @@ ] }, { - "bom-ref": "pkg:deb/debian/package-2@2.0.1?package-id=ceda99598967ae8d", + "bom-ref": "pkg:deb/debian/package-2@2.0.1?package-id=982bd655c9957788", "type": "library", "name": "package-2", "version": "2.0.1", diff --git a/syft/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden b/syft/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden index 6dac17e18d5..45082e54c11 100644 --- a/syft/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden +++ b/syft/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden @@ -1,10 +1,10 @@ { "bomFormat": "CycloneDX", "specVersion": "1.4", - "serialNumber": "urn:uuid:c825402b-bbfa-4ad5-81b1-6a8332a6a8b6", + "serialNumber": "urn:uuid:49ee8684-f17f-4b27-b652-08700616a46c", "version": 1, "metadata": { - "timestamp": "2022-05-23T12:05:01-07:00", + "timestamp": "2022-10-05T21:08:02-04:00", "tools": [ { "vendor": "anchore", @@ -13,7 +13,7 @@ } ], "component": { - "bom-ref": "e779c1ed804ba529", + "bom-ref": "e7c509028e64e19d", "type": "container", "name": "user-image-input", "version": "sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368" @@ -21,7 +21,7 @@ }, "components": [ { - "bom-ref": "2a46171f91c8d4bc", + "bom-ref": "2a56b96c604f3ab3", "type": "library", "name": "package-1", "version": "1.0.1", @@ -53,7 +53,7 @@ }, { "name": "syft:location:0:layerID", - "value": "sha256:cd8f3884f1211d65c19ce5bbc5174bcd2ce8ba96b63e5b3693969a53279c4405" + "value": "sha256:4965affaf42a7174561882c5fd87e2db6f0b07df532459ba86f98a8bd2af11de" }, { "name": "syft:location:0:path", @@ -62,7 +62,7 @@ ] }, { - "bom-ref": "pkg:deb/debian/package-2@2.0.1?package-id=ae77680e9b1d087e", + "bom-ref": "pkg:deb/debian/package-2@2.0.1?package-id=982bd655c9957788", "type": "library", "name": "package-2", "version": "2.0.1", @@ -83,7 +83,7 @@ }, { "name": "syft:location:0:layerID", - "value": "sha256:42d2ea51c688e6dc7be81a305acbe006d27a6ef0c26ae3888fd0d4ce44f69265" + "value": "sha256:460c3e27be163efe75df048c4d4cf3a22e7e363f02521fa2e82a3bd257a682d4" }, { "name": "syft:location:0:path", diff --git a/syft/formats/cyclonedxjson/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden b/syft/formats/cyclonedxjson/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden index 3d93b6d3ad1..538b5e585a0 100644 Binary files a/syft/formats/cyclonedxjson/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden and b/syft/formats/cyclonedxjson/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden differ diff --git a/syft/formats/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden b/syft/formats/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden index 7505cd83b93..a25131acc14 100644 --- a/syft/formats/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden +++ b/syft/formats/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden @@ -1,7 +1,7 @@ - + - 2022-05-23T12:02:41-07:00 + 2022-10-05T21:14:00-04:00 anchore @@ -14,7 +14,7 @@ - + package-1 1.0.1 @@ -32,7 +32,7 @@ /some/path/pkg1 - + package-2 2.0.1 cpe:2.3:*:some:package:2:*:*:*:*:*:*:* diff --git a/syft/formats/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden b/syft/formats/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden index 6ef8367e66a..46a7f8ab37f 100644 --- a/syft/formats/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden +++ b/syft/formats/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden @@ -1,7 +1,7 @@ - + - 2022-05-23T12:02:42-07:00 + 2022-10-05T21:14:00-04:00 anchore @@ -9,13 +9,13 @@ v0.42.0-bogus - + user-image-input sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368 - + package-1 1.0.1 @@ -30,11 +30,11 @@ python PythonPackageMetadata python - sha256:cd8f3884f1211d65c19ce5bbc5174bcd2ce8ba96b63e5b3693969a53279c4405 + sha256:4965affaf42a7174561882c5fd87e2db6f0b07df532459ba86f98a8bd2af11de /somefile-1.txt - + package-2 2.0.1 cpe:2.3:*:some:package:2:*:*:*:*:*:*:* @@ -43,7 +43,7 @@ the-cataloger-2 DpkgMetadata deb - sha256:42d2ea51c688e6dc7be81a305acbe006d27a6ef0c26ae3888fd0d4ce44f69265 + sha256:460c3e27be163efe75df048c4d4cf3a22e7e363f02521fa2e82a3bd257a682d4 /somefile-2.txt 0 diff --git a/syft/formats/cyclonedxxml/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden b/syft/formats/cyclonedxxml/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden index 3d93b6d3ad1..538b5e585a0 100644 Binary files a/syft/formats/cyclonedxxml/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden and b/syft/formats/cyclonedxxml/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden differ diff --git a/syft/formats/spdx22json/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden b/syft/formats/spdx22json/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden index f237501b507..d458f14b587 100644 --- a/syft/formats/spdx22json/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden +++ b/syft/formats/spdx22json/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden @@ -3,18 +3,18 @@ "name": "/some/path", "spdxVersion": "SPDX-2.2", "creationInfo": { - "created": "2022-05-23T19:10:22.25645Z", + "created": "2022-10-05T19:47:00.536845Z", "creators": [ "Organization: Anchore, Inc", "Tool: syft-v0.42.0-bogus" ], - "licenseListVersion": "3.17" + "licenseListVersion": "3.18" }, "dataLicense": "CC0-1.0", - "documentNamespace": "https://anchore.com/syft/dir/some/path-81dbcbfa-251d-4ad5-9b01-be91afb16469", + "documentNamespace": "https://anchore.com/syft/dir/some/path-d2cf5b49-ce38-488e-8519-19ba1c77733f", "packages": [ { - "SPDXID": "SPDXRef-b85dbb4e6ece5082", + "SPDXID": "SPDXRef-2a90c3effff7fb4f", "name": "package-1", "licenseConcluded": "MIT", "downloadLocation": "NOASSERTION", @@ -36,7 +36,7 @@ "versionInfo": "1.0.1" }, { - "SPDXID": "SPDXRef-ceda99598967ae8d", + "SPDXID": "SPDXRef-982bd655c9957788", "name": "package-2", "licenseConcluded": "NONE", "downloadLocation": "NOASSERTION", diff --git a/syft/formats/spdx22json/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden b/syft/formats/spdx22json/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden index f1891ad57aa..9a974940750 100644 --- a/syft/formats/spdx22json/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden +++ b/syft/formats/spdx22json/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden @@ -3,18 +3,18 @@ "name": "user-image-input", "spdxVersion": "SPDX-2.2", "creationInfo": { - "created": "2022-05-23T19:10:22.412847Z", + "created": "2022-10-05T19:47:01.104611Z", "creators": [ "Organization: Anchore, Inc", "Tool: syft-v0.42.0-bogus" ], - "licenseListVersion": "3.17" + "licenseListVersion": "3.18" }, "dataLicense": "CC0-1.0", - "documentNamespace": "https://anchore.com/syft/image/user-image-input-c9945597-78ce-4e9b-89d2-68b8e4e4ccb9", + "documentNamespace": "https://anchore.com/syft/image/user-image-input-cc71fd4c-1f74-4d35-beea-67d21d67679e", "packages": [ { - "SPDXID": "SPDXRef-2a46171f91c8d4bc", + "SPDXID": "SPDXRef-2a56b96c604f3ab3", "name": "package-1", "licenseConcluded": "MIT", "downloadLocation": "NOASSERTION", @@ -36,7 +36,7 @@ "versionInfo": "1.0.1" }, { - "SPDXID": "SPDXRef-ae77680e9b1d087e", + "SPDXID": "SPDXRef-982bd655c9957788", "name": "package-2", "licenseConcluded": "NONE", "downloadLocation": "NOASSERTION", diff --git a/syft/formats/spdx22json/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden b/syft/formats/spdx22json/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden index 445c69d82a3..17d646f0b38 100644 --- a/syft/formats/spdx22json/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden +++ b/syft/formats/spdx22json/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden @@ -3,7 +3,7 @@ "name": "user-image-input", "spdxVersion": "SPDX-2.2", "creationInfo": { - "created": "2022-09-19T18:39:05.841331Z", + "created": "2022-10-05T19:47:01.110308Z", "creators": [ "Organization: Anchore, Inc", "Tool: syft-v0.42.0-bogus" @@ -11,10 +11,10 @@ "licenseListVersion": "3.18" }, "dataLicense": "CC0-1.0", - "documentNamespace": "https://anchore.com/syft/image/user-image-input-6cf0595e-7d69-4990-aef5-8183b52023b9", + "documentNamespace": "https://anchore.com/syft/image/user-image-input-aa6c73fa-fb4c-49af-a3ff-44ae082e518d", "packages": [ { - "SPDXID": "SPDXRef-2a46171f91c8d4bc", + "SPDXID": "SPDXRef-2a56b96c604f3ab3", "name": "package-1", "licenseConcluded": "MIT", "downloadLocation": "NOASSERTION", @@ -44,7 +44,7 @@ "versionInfo": "1.0.1" }, { - "SPDXID": "SPDXRef-ae77680e9b1d087e", + "SPDXID": "SPDXRef-982bd655c9957788", "name": "package-2", "licenseConcluded": "NONE", "downloadLocation": "NOASSERTION", @@ -118,32 +118,32 @@ ], "relationships": [ { - "spdxElementId": "SPDXRef-2a46171f91c8d4bc", + "spdxElementId": "SPDXRef-2a56b96c604f3ab3", "relationshipType": "CONTAINS", "relatedSpdxElement": "SPDXRef-5265a4dde3edbf7c" }, { - "spdxElementId": "SPDXRef-2a46171f91c8d4bc", + "spdxElementId": "SPDXRef-2a56b96c604f3ab3", "relationshipType": "CONTAINS", "relatedSpdxElement": "SPDXRef-839d99ee67d9d174" }, { - "spdxElementId": "SPDXRef-2a46171f91c8d4bc", + "spdxElementId": "SPDXRef-2a56b96c604f3ab3", "relationshipType": "CONTAINS", "relatedSpdxElement": "SPDXRef-9c2f7510199b17f6" }, { - "spdxElementId": "SPDXRef-2a46171f91c8d4bc", + "spdxElementId": "SPDXRef-2a56b96c604f3ab3", "relationshipType": "CONTAINS", "relatedSpdxElement": "SPDXRef-c641caa71518099f" }, { - "spdxElementId": "SPDXRef-2a46171f91c8d4bc", + "spdxElementId": "SPDXRef-2a56b96c604f3ab3", "relationshipType": "CONTAINS", "relatedSpdxElement": "SPDXRef-c6f5b29dca12661f" }, { - "spdxElementId": "SPDXRef-2a46171f91c8d4bc", + "spdxElementId": "SPDXRef-2a56b96c604f3ab3", "relationshipType": "CONTAINS", "relatedSpdxElement": "SPDXRef-f9e49132a4b96ccd" } diff --git a/syft/formats/spdx22json/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden b/syft/formats/spdx22json/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden index 3d93b6d3ad1..6a8f02a8920 100644 Binary files a/syft/formats/spdx22json/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden and b/syft/formats/spdx22json/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden differ diff --git a/syft/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden b/syft/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden index e9e540f62ce..4bbaba4f229 100644 --- a/syft/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden +++ b/syft/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden @@ -2,16 +2,16 @@ SPDXVersion: SPDX-2.2 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: . -DocumentNamespace: https://anchore.com/syft/dir/bdb67358-651c-4dd8-b5ee-5318936eb16a -LicenseListVersion: 3.17 +DocumentNamespace: https://anchore.com/syft/dir/2c8c96ca-2b8f-46cc-bdab-2f3bd4e9f8e6 +LicenseListVersion: 3.18 Creator: Organization: Anchore, Inc Creator: Tool: syft-v0.42.0-bogus -Created: 2022-06-07T19:33:39Z +Created: 2022-10-06T01:06:05Z ##### Package: @at-sign PackageName: @at-sign -SPDXID: SPDXRef-Package---at-sign-739e4f0d93fb8298 +SPDXID: SPDXRef-Package---at-sign-a13c298001ac6444 PackageDownloadLocation: NOASSERTION FilesAnalyzed: false PackageLicenseConcluded: NONE @@ -21,7 +21,7 @@ PackageCopyrightText: NOASSERTION ##### Package: some/slashes PackageName: some/slashes -SPDXID: SPDXRef-Package--some-slashes-26db06648b24bff9 +SPDXID: SPDXRef-Package--some-slashes-5bd9ab07c1a10a05 PackageDownloadLocation: NOASSERTION FilesAnalyzed: false PackageLicenseConcluded: NONE @@ -31,7 +31,7 @@ PackageCopyrightText: NOASSERTION ##### Package: under_scores PackageName: under_scores -SPDXID: SPDXRef-Package--under-scores-250cbfefcdea318b +SPDXID: SPDXRef-Package--under-scores-eaf456a50fe77e5d PackageDownloadLocation: NOASSERTION FilesAnalyzed: false PackageLicenseConcluded: NONE diff --git a/syft/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden b/syft/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden index 83e333e4b9d..d06d3b6ace9 100644 --- a/syft/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden +++ b/syft/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden @@ -2,16 +2,16 @@ SPDXVersion: SPDX-2.2 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: /some/path -DocumentNamespace: https://anchore.com/syft/dir/some/path-c6b20d03-1478-4513-9feb-1ec427d4b547 -LicenseListVersion: 3.17 +DocumentNamespace: https://anchore.com/syft/dir/some/path-d9816458-7761-40d7-a97a-2cbb6c0bfde8 +LicenseListVersion: 3.18 Creator: Organization: Anchore, Inc Creator: Tool: syft-v0.42.0-bogus -Created: 2022-05-24T22:51:02Z +Created: 2022-10-06T01:06:04Z ##### Package: package-2 PackageName: package-2 -SPDXID: SPDXRef-Package-deb-package-2-ceda99598967ae8d +SPDXID: SPDXRef-Package-deb-package-2-982bd655c9957788 PackageVersion: 2.0.1 PackageDownloadLocation: NOASSERTION FilesAnalyzed: false @@ -24,7 +24,7 @@ ExternalRef: PACKAGE_MANAGER purl pkg:deb/debian/package-2@2.0.1 ##### Package: package-1 PackageName: package-1 -SPDXID: SPDXRef-Package-python-package-1-b85dbb4e6ece5082 +SPDXID: SPDXRef-Package-python-package-1-2a90c3effff7fb4f PackageVersion: 1.0.1 PackageDownloadLocation: NOASSERTION FilesAnalyzed: false diff --git a/syft/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden b/syft/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden index aae5ebf530f..47276dec5e4 100644 --- a/syft/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden +++ b/syft/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden @@ -2,16 +2,16 @@ SPDXVersion: SPDX-2.2 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: user-image-input -DocumentNamespace: https://anchore.com/syft/image/user-image-input-12a877bc-fe9b-40ef-aa9c-4d34f108d0d6 -LicenseListVersion: 3.17 +DocumentNamespace: https://anchore.com/syft/image/user-image-input-02826aec-021e-4f01-9b82-6fa2f830f20a +LicenseListVersion: 3.18 Creator: Organization: Anchore, Inc Creator: Tool: syft-v0.42.0-bogus -Created: 2022-05-24T22:51:02Z +Created: 2022-10-06T01:06:05Z ##### Package: package-2 PackageName: package-2 -SPDXID: SPDXRef-Package-deb-package-2-ae77680e9b1d087e +SPDXID: SPDXRef-Package-deb-package-2-982bd655c9957788 PackageVersion: 2.0.1 PackageDownloadLocation: NOASSERTION FilesAnalyzed: false @@ -24,7 +24,7 @@ ExternalRef: PACKAGE_MANAGER purl pkg:deb/debian/package-2@2.0.1 ##### Package: package-1 PackageName: package-1 -SPDXID: SPDXRef-Package-python-package-1-2a46171f91c8d4bc +SPDXID: SPDXRef-Package-python-package-1-2a56b96c604f3ab3 PackageVersion: 1.0.1 PackageDownloadLocation: NOASSERTION FilesAnalyzed: false diff --git a/syft/formats/spdx22tagvalue/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden b/syft/formats/spdx22tagvalue/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden index 3d93b6d3ad1..538b5e585a0 100644 Binary files a/syft/formats/spdx22tagvalue/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden and b/syft/formats/spdx22tagvalue/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden differ diff --git a/syft/formats/syftjson/test-fixtures/snapshot/TestDirectoryEncoder.golden b/syft/formats/syftjson/test-fixtures/snapshot/TestDirectoryEncoder.golden index f7118ea6d23..396659af461 100644 --- a/syft/formats/syftjson/test-fixtures/snapshot/TestDirectoryEncoder.golden +++ b/syft/formats/syftjson/test-fixtures/snapshot/TestDirectoryEncoder.golden @@ -1,7 +1,7 @@ { "artifacts": [ { - "id": "b85dbb4e6ece5082", + "id": "2a90c3effff7fb4f", "name": "package-1", "version": "1.0.1", "type": "python", @@ -36,7 +36,7 @@ } }, { - "id": "ceda99598967ae8d", + "id": "982bd655c9957788", "name": "package-2", "version": "2.0.1", "type": "deb", diff --git a/syft/formats/syftjson/test-fixtures/snapshot/TestEncodeFullJSONDocument.golden b/syft/formats/syftjson/test-fixtures/snapshot/TestEncodeFullJSONDocument.golden index 664b82f9cb5..f204d4408ee 100644 --- a/syft/formats/syftjson/test-fixtures/snapshot/TestEncodeFullJSONDocument.golden +++ b/syft/formats/syftjson/test-fixtures/snapshot/TestEncodeFullJSONDocument.golden @@ -1,7 +1,7 @@ { "artifacts": [ { - "id": "b3fa3ee64756b0c6", + "id": "2a56b96c604f3ab3", "name": "package-1", "version": "1.0.1", "type": "python", @@ -31,7 +31,7 @@ } }, { - "id": "b324f4d9ee5413fe", + "id": "982bd655c9957788", "name": "package-2", "version": "2.0.1", "type": "deb", diff --git a/syft/formats/syftjson/test-fixtures/snapshot/TestImageEncoder.golden b/syft/formats/syftjson/test-fixtures/snapshot/TestImageEncoder.golden index a7dda4af6cb..81e767c92a0 100644 --- a/syft/formats/syftjson/test-fixtures/snapshot/TestImageEncoder.golden +++ b/syft/formats/syftjson/test-fixtures/snapshot/TestImageEncoder.golden @@ -1,7 +1,7 @@ { "artifacts": [ { - "id": "2a46171f91c8d4bc", + "id": "2a56b96c604f3ab3", "name": "package-1", "version": "1.0.1", "type": "python", @@ -9,7 +9,7 @@ "locations": [ { "path": "/somefile-1.txt", - "layerID": "sha256:7ef28e9c2d56471ee090b578a678bdf28c3b5a311ca7b2e28c2a4185e5bb34c0" + "layerID": "sha256:0afd7ddb47f6ad8614573dda60a4426a8da7bb65f82f0ab4d8b7d6b82a8e76b7" } ], "licenses": [ @@ -32,7 +32,7 @@ } }, { - "id": "ae77680e9b1d087e", + "id": "982bd655c9957788", "name": "package-2", "version": "2.0.1", "type": "deb", @@ -40,7 +40,7 @@ "locations": [ { "path": "/somefile-2.txt", - "layerID": "sha256:86da8aee621161bea2efaf27a2709ddab5e7d44e30ecdfda728b02c03a28fd98" + "layerID": "sha256:f66c6703d656b8de6e6817d1cbffa9471701900206c5637a7f724ed0919bf2b1" } ], "licenses": [], @@ -67,7 +67,7 @@ "type": "image", "target": { "userInput": "user-image-input", - "imageID": "sha256:5dd5f5f4247e4e946f555f0de7681a631a5240b614e52717d0aed04808e8c65f", + "imageID": "sha256:97bf244b0a0482eba3aac7b4e663865a470facad1c58bbddc59d1ef9518a01be", "manifestDigest": "sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368", "mediaType": "application/vnd.docker.distribution.manifest.v2+json", "tags": [ @@ -77,17 +77,17 @@ "layers": [ { "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", - "digest": "sha256:7ef28e9c2d56471ee090b578a678bdf28c3b5a311ca7b2e28c2a4185e5bb34c0", + "digest": "sha256:0afd7ddb47f6ad8614573dda60a4426a8da7bb65f82f0ab4d8b7d6b82a8e76b7", "size": 22 }, { "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", - "digest": "sha256:86da8aee621161bea2efaf27a2709ddab5e7d44e30ecdfda728b02c03a28fd98", + "digest": "sha256:f66c6703d656b8de6e6817d1cbffa9471701900206c5637a7f724ed0919bf2b1", "size": 16 } ], - "manifest": "eyJzY2hlbWFWZXJzaW9uIjoyLCJtZWRpYVR5cGUiOiJhcHBsaWNhdGlvbi92bmQuZG9ja2VyLmRpc3RyaWJ1dGlvbi5tYW5pZmVzdC52Mitqc29uIiwiY29uZmlnIjp7Im1lZGlhVHlwZSI6ImFwcGxpY2F0aW9uL3ZuZC5kb2NrZXIuY29udGFpbmVyLmltYWdlLnYxK2pzb24iLCJzaXplIjo2NzMsImRpZ2VzdCI6InNoYTI1Njo1ZGQ1ZjVmNDI0N2U0ZTk0NmY1NTVmMGRlNzY4MWE2MzFhNTI0MGI2MTRlNTI3MTdkMGFlZDA0ODA4ZThjNjVmIn0sImxheWVycyI6W3sibWVkaWFUeXBlIjoiYXBwbGljYXRpb24vdm5kLmRvY2tlci5pbWFnZS5yb290ZnMuZGlmZi50YXIuZ3ppcCIsInNpemUiOjIwNDgsImRpZ2VzdCI6InNoYTI1Njo3ZWYyOGU5YzJkNTY0NzFlZTA5MGI1NzhhNjc4YmRmMjhjM2I1YTMxMWNhN2IyZTI4YzJhNDE4NWU1YmIzNGMwIn0seyJtZWRpYVR5cGUiOiJhcHBsaWNhdGlvbi92bmQuZG9ja2VyLmltYWdlLnJvb3Rmcy5kaWZmLnRhci5nemlwIiwic2l6ZSI6MjA0OCwiZGlnZXN0Ijoic2hhMjU2Ojg2ZGE4YWVlNjIxMTYxYmVhMmVmYWYyN2EyNzA5ZGRhYjVlN2Q0NGUzMGVjZGZkYTcyOGIwMmMwM2EyOGZkOTgifV19", - "config": "eyJhcmNoaXRlY3R1cmUiOiJhbWQ2NCIsImNvbmZpZyI6eyJFbnYiOlsiUEFUSD0vdXNyL2xvY2FsL3NiaW46L3Vzci9sb2NhbC9iaW46L3Vzci9zYmluOi91c3IvYmluOi9zYmluOi9iaW4iXSwiV29ya2luZ0RpciI6Ii8iLCJPbkJ1aWxkIjpudWxsfSwiY3JlYXRlZCI6IjIwMjItMDYtMDJUMTQ6MzQ6MzQuNzE5MTM1MTc0WiIsImhpc3RvcnkiOlt7ImNyZWF0ZWQiOiIyMDIyLTA2LTAyVDE0OjM0OjM0LjY4NjkzMzI2M1oiLCJjcmVhdGVkX2J5IjoiQUREIGZpbGUtMS50eHQgL3NvbWVmaWxlLTEudHh0ICMgYnVpbGRraXQiLCJjb21tZW50IjoiYnVpbGRraXQuZG9ja2VyZmlsZS52MCJ9LHsiY3JlYXRlZCI6IjIwMjItMDYtMDJUMTQ6MzQ6MzQuNzE5MTM1MTc0WiIsImNyZWF0ZWRfYnkiOiJBREQgZmlsZS0yLnR4dCAvc29tZWZpbGUtMi50eHQgIyBidWlsZGtpdCIsImNvbW1lbnQiOiJidWlsZGtpdC5kb2NrZXJmaWxlLnYwIn1dLCJvcyI6ImxpbnV4Iiwicm9vdGZzIjp7InR5cGUiOiJsYXllcnMiLCJkaWZmX2lkcyI6WyJzaGEyNTY6N2VmMjhlOWMyZDU2NDcxZWUwOTBiNTc4YTY3OGJkZjI4YzNiNWEzMTFjYTdiMmUyOGMyYTQxODVlNWJiMzRjMCIsInNoYTI1Njo4NmRhOGFlZTYyMTE2MWJlYTJlZmFmMjdhMjcwOWRkYWI1ZTdkNDRlMzBlY2RmZGE3MjhiMDJjMDNhMjhmZDk4Il19fQ==", + "manifest": "eyJzY2hlbWFWZXJzaW9uIjoyLCJtZWRpYVR5cGUiOiJhcHBsaWNhdGlvbi92bmQuZG9ja2VyLmRpc3RyaWJ1dGlvbi5tYW5pZmVzdC52Mitqc29uIiwiY29uZmlnIjp7Im1lZGlhVHlwZSI6ImFwcGxpY2F0aW9uL3ZuZC5kb2NrZXIuY29udGFpbmVyLmltYWdlLnYxK2pzb24iLCJzaXplIjo2NzMsImRpZ2VzdCI6InNoYTI1Njo5N2JmMjQ0YjBhMDQ4MmViYTNhYWM3YjRlNjYzODY1YTQ3MGZhY2FkMWM1OGJiZGRjNTlkMWVmOTUxOGEwMWJlIn0sImxheWVycyI6W3sibWVkaWFUeXBlIjoiYXBwbGljYXRpb24vdm5kLmRvY2tlci5pbWFnZS5yb290ZnMuZGlmZi50YXIuZ3ppcCIsInNpemUiOjIwNDgsImRpZ2VzdCI6InNoYTI1NjowYWZkN2RkYjQ3ZjZhZDg2MTQ1NzNkZGE2MGE0NDI2YThkYTdiYjY1ZjgyZjBhYjRkOGI3ZDZiODJhOGU3NmI3In0seyJtZWRpYVR5cGUiOiJhcHBsaWNhdGlvbi92bmQuZG9ja2VyLmltYWdlLnJvb3Rmcy5kaWZmLnRhci5nemlwIiwic2l6ZSI6MjA0OCwiZGlnZXN0Ijoic2hhMjU2OmY2NmM2NzAzZDY1NmI4ZGU2ZTY4MTdkMWNiZmZhOTQ3MTcwMTkwMDIwNmM1NjM3YTdmNzI0ZWQwOTE5YmYyYjEifV19", + "config": "eyJhcmNoaXRlY3R1cmUiOiJhbWQ2NCIsImNvbmZpZyI6eyJFbnYiOlsiUEFUSD0vdXNyL2xvY2FsL3NiaW46L3Vzci9sb2NhbC9iaW46L3Vzci9zYmluOi91c3IvYmluOi9zYmluOi9iaW4iXSwiV29ya2luZ0RpciI6Ii8iLCJPbkJ1aWxkIjpudWxsfSwiY3JlYXRlZCI6IjIwMjItMTAtMDVUMTc6NTM6MTMuMzQ1MjkwMzc2WiIsImhpc3RvcnkiOlt7ImNyZWF0ZWQiOiIyMDIyLTEwLTA1VDE3OjUzOjEzLjMwNjI5MzYyNVoiLCJjcmVhdGVkX2J5IjoiQUREIGZpbGUtMS50eHQgL3NvbWVmaWxlLTEudHh0ICMgYnVpbGRraXQiLCJjb21tZW50IjoiYnVpbGRraXQuZG9ja2VyZmlsZS52MCJ9LHsiY3JlYXRlZCI6IjIwMjItMTAtMDVUMTc6NTM6MTMuMzQ1MjkwMzc2WiIsImNyZWF0ZWRfYnkiOiJBREQgZmlsZS0yLnR4dCAvc29tZWZpbGUtMi50eHQgIyBidWlsZGtpdCIsImNvbW1lbnQiOiJidWlsZGtpdC5kb2NrZXJmaWxlLnYwIn1dLCJvcyI6ImxpbnV4Iiwicm9vdGZzIjp7InR5cGUiOiJsYXllcnMiLCJkaWZmX2lkcyI6WyJzaGEyNTY6MGFmZDdkZGI0N2Y2YWQ4NjE0NTczZGRhNjBhNDQyNmE4ZGE3YmI2NWY4MmYwYWI0ZDhiN2Q2YjgyYThlNzZiNyIsInNoYTI1NjpmNjZjNjcwM2Q2NTZiOGRlNmU2ODE3ZDFjYmZmYTk0NzE3MDE5MDAyMDZjNTYzN2E3ZjcyNGVkMDkxOWJmMmIxIl19fQ==", "repoDigests": [], "architecture": "", "os": "" diff --git a/syft/formats/syftjson/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden b/syft/formats/syftjson/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden index 3cd33e2b8f5..6a8f02a8920 100644 Binary files a/syft/formats/syftjson/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden and b/syft/formats/syftjson/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden differ diff --git a/syft/pkg/catalog.go b/syft/pkg/catalog.go index 59ff0292a43..e9f35e0c6ee 100644 --- a/syft/pkg/catalog.go +++ b/syft/pkg/catalog.go @@ -110,6 +110,8 @@ func (c *Catalog) Add(p Package) { if err := existing.merge(p); err != nil { log.Warnf("failed to merge packages: %+v", err) } else { + // TODO should we update the map to be pointer so modifications are reflected? + c.byID[id] = existing // existing is a copy; update catalog with merged package c.addPathsToIndex(p) } return diff --git a/syft/pkg/cataloger/common/cpe/generate_test.go b/syft/pkg/cataloger/common/cpe/generate_test.go index 518ed6f26ec..77df1bfdb0f 100644 --- a/syft/pkg/cataloger/common/cpe/generate_test.go +++ b/syft/pkg/cataloger/common/cpe/generate_test.go @@ -240,7 +240,7 @@ func TestGeneratePackageCPEs(t *testing.T) { Type: pkg.JavaPkg, MetadataType: pkg.JavaMetadataType, Metadata: pkg.JavaMetadata{ - VirtualPath: "/opt/jboss/keycloak/modules/system/layers/base/org/apache/cxf/impl/main/cxf-rt-bindings-xml-3.3.10.jar", + VirtualPath: []string{"/opt/jboss/keycloak/modules/system/layers/base/org/apache/cxf/impl/main/cxf-rt-bindings-xml-3.3.10.jar"}, Manifest: &pkg.JavaManifest{ Main: map[string]string{ "Automatic-Module-Name": "org.apache.cxf.binding.xml", diff --git a/syft/pkg/cataloger/java/archive_parser.go b/syft/pkg/cataloger/java/archive_parser.go index b87cf55266a..4b09349fb53 100644 --- a/syft/pkg/cataloger/java/archive_parser.go +++ b/syft/pkg/cataloger/java/archive_parser.go @@ -179,6 +179,11 @@ func (j *archiveParser) discoverMainPackage() (*pkg.Package, error) { log.Warnf("failed to create digest for file=%q: %+v", j.archivePath, err) } + vp := make([]string, 0) + if j.virtualPath != "" { + vp = append(vp, j.virtualPath) + } + return &pkg.Package{ Name: selectName(manifest, j.fileInfo), Version: selectVersion(manifest, j.fileInfo), @@ -186,7 +191,7 @@ func (j *archiveParser) discoverMainPackage() (*pkg.Package, error) { Type: j.fileInfo.pkgType(), MetadataType: pkg.JavaMetadataType, Metadata: pkg.JavaMetadata{ - VirtualPath: j.virtualPath, + VirtualPath: vp, Manifest: manifest, ArchiveDigests: digests, }, @@ -365,6 +370,11 @@ func newPackageFromMavenData(pomProperties pkg.PomProperties, pomProject *pkg.Po } virtualPath += vPathSuffix + vp := make([]string, 0) + if virtualPath != "" { + vp = append(vp, virtualPath) + } + // discovered props = new package p := pkg.Package{ Name: pomProperties.ArtifactID, @@ -373,7 +383,7 @@ func newPackageFromMavenData(pomProperties pkg.PomProperties, pomProject *pkg.Po Type: pomProperties.PkgTypeIndicated(), MetadataType: pkg.JavaMetadataType, Metadata: pkg.JavaMetadata{ - VirtualPath: virtualPath, + VirtualPath: vp, PomProperties: &pomProperties, PomProject: pomProject, Parent: parentPkg, @@ -397,7 +407,7 @@ func packageIdentitiesMatch(p pkg.Package, parentPkg *pkg.Package) bool { metadata := p.Metadata.(pkg.JavaMetadata) // the virtual path matches... - if parentPkg.Metadata.(pkg.JavaMetadata).VirtualPath == metadata.VirtualPath { + if len(metadata.VirtualPath) > 0 && metadata.VirtualPath[0] == parentPkg.Metadata.(pkg.JavaMetadata).VirtualPath[0] { return true } diff --git a/syft/pkg/cataloger/java/archive_parser_test.go b/syft/pkg/cataloger/java/archive_parser_test.go index 30c67f0e9da..c0cb6f067aa 100644 --- a/syft/pkg/cataloger/java/archive_parser_test.go +++ b/syft/pkg/cataloger/java/archive_parser_test.go @@ -101,7 +101,7 @@ func TestParseJar(t *testing.T) { Type: pkg.JenkinsPluginPkg, MetadataType: pkg.JavaMetadataType, Metadata: pkg.JavaMetadata{ - VirtualPath: "test-fixtures/java-builds/packages/example-jenkins-plugin.hpi", + VirtualPath: []string{"test-fixtures/java-builds/packages/example-jenkins-plugin.hpi"}, Manifest: &pkg.JavaManifest{ Main: map[string]string{ "Manifest-Version": "1.0", @@ -152,7 +152,7 @@ func TestParseJar(t *testing.T) { Type: pkg.JavaPkg, MetadataType: pkg.JavaMetadataType, Metadata: pkg.JavaMetadata{ - VirtualPath: "test-fixtures/java-builds/packages/example-java-app-gradle-0.1.0.jar", + VirtualPath: []string{"test-fixtures/java-builds/packages/example-java-app-gradle-0.1.0.jar"}, Manifest: &pkg.JavaManifest{ Main: map[string]string{ "Manifest-Version": "1.0", @@ -177,7 +177,7 @@ func TestParseJar(t *testing.T) { Type: pkg.JavaPkg, MetadataType: pkg.JavaMetadataType, Metadata: pkg.JavaMetadata{ - VirtualPath: "test-fixtures/java-builds/packages/example-java-app-maven-0.1.0.jar", + VirtualPath: []string{"test-fixtures/java-builds/packages/example-java-app-maven-0.1.0.jar"}, Manifest: &pkg.JavaManifest{ Main: map[string]string{ "Manifest-Version": "1.0", @@ -208,7 +208,7 @@ func TestParseJar(t *testing.T) { Metadata: pkg.JavaMetadata{ // ensure that nested packages with different names than that of the parent are appended as // a suffix on the virtual path - VirtualPath: "test-fixtures/java-builds/packages/example-java-app-maven-0.1.0.jar:joda-time", + VirtualPath: []string{"test-fixtures/java-builds/packages/example-java-app-maven-0.1.0.jar:joda-time"}, PomProperties: &pkg.PomProperties{ Path: "META-INF/maven/joda-time/joda-time/pom.properties", GroupID: "joda-time", @@ -602,7 +602,7 @@ func Test_newPackageFromMavenData(t *testing.T) { Name: "some-parent-name", Version: "2.0", Metadata: pkg.JavaMetadata{ - VirtualPath: "some-parent-virtual-path", + VirtualPath: []string{"some-parent-virtual-path"}, Manifest: nil, PomProperties: nil, Parent: nil, @@ -613,7 +613,7 @@ func Test_newPackageFromMavenData(t *testing.T) { Name: "some-parent-name", Version: "2.0", Metadata: pkg.JavaMetadata{ - VirtualPath: "some-parent-virtual-path", + VirtualPath: []string{"some-parent-virtual-path"}, Manifest: nil, PomProperties: nil, Parent: nil, @@ -626,7 +626,7 @@ func Test_newPackageFromMavenData(t *testing.T) { Type: pkg.JavaPkg, MetadataType: pkg.JavaMetadataType, Metadata: pkg.JavaMetadata{ - VirtualPath: virtualPath + ":" + "some-artifact-id", + VirtualPath: []string{virtualPath + ":" + "some-artifact-id"}, PomProperties: &pkg.PomProperties{ Name: "some-name", GroupID: "some-group-id", @@ -637,7 +637,7 @@ func Test_newPackageFromMavenData(t *testing.T) { Name: "some-parent-name", Version: "2.0", Metadata: pkg.JavaMetadata{ - VirtualPath: "some-parent-virtual-path", + VirtualPath: []string{"some-parent-virtual-path"}, Manifest: nil, PomProperties: nil, Parent: nil, @@ -671,7 +671,7 @@ func Test_newPackageFromMavenData(t *testing.T) { Name: "some-parent-name", Version: "2.0", Metadata: pkg.JavaMetadata{ - VirtualPath: "some-parent-virtual-path", + VirtualPath: []string{"some-parent-virtual-path"}, Manifest: nil, PomProperties: nil, Parent: nil, @@ -682,7 +682,7 @@ func Test_newPackageFromMavenData(t *testing.T) { Name: "some-parent-name", Version: "2.0", Metadata: pkg.JavaMetadata{ - VirtualPath: "some-parent-virtual-path", + VirtualPath: []string{"some-parent-virtual-path"}, Manifest: nil, PomProperties: nil, Parent: nil, @@ -695,7 +695,7 @@ func Test_newPackageFromMavenData(t *testing.T) { Type: pkg.JavaPkg, MetadataType: pkg.JavaMetadataType, Metadata: pkg.JavaMetadata{ - VirtualPath: virtualPath + ":" + "some-artifact-id", + VirtualPath: []string{virtualPath + ":" + "some-artifact-id"}, PomProperties: &pkg.PomProperties{ Name: "some-name", GroupID: "some-group-id", @@ -719,7 +719,7 @@ func Test_newPackageFromMavenData(t *testing.T) { Name: "some-parent-name", Version: "2.0", Metadata: pkg.JavaMetadata{ - VirtualPath: "some-parent-virtual-path", + VirtualPath: []string{"some-parent-virtual-path"}, Manifest: nil, PomProperties: nil, Parent: nil, @@ -740,7 +740,7 @@ func Test_newPackageFromMavenData(t *testing.T) { Name: "some-parent-name", Version: "2.0", Metadata: pkg.JavaMetadata{ - VirtualPath: "some-parent-virtual-path", + VirtualPath: []string{"some-parent-virtual-path"}, Manifest: nil, PomProperties: nil, Parent: nil, @@ -751,7 +751,7 @@ func Test_newPackageFromMavenData(t *testing.T) { Name: "some-parent-name", Version: "2.0", Metadata: pkg.JavaMetadata{ - VirtualPath: "some-parent-virtual-path", + VirtualPath: []string{"some-parent-virtual-path"}, Manifest: nil, PomProperties: nil, Parent: nil, @@ -764,7 +764,7 @@ func Test_newPackageFromMavenData(t *testing.T) { Type: pkg.JenkinsPluginPkg, MetadataType: pkg.JavaMetadataType, Metadata: pkg.JavaMetadata{ - VirtualPath: virtualPath + ":" + "some-artifact-id", + VirtualPath: []string{virtualPath + ":" + "some-artifact-id"}, PomProperties: &pkg.PomProperties{ Name: "some-name", GroupID: "com.cloudbees.jenkins.plugins", @@ -775,7 +775,7 @@ func Test_newPackageFromMavenData(t *testing.T) { Name: "some-parent-name", Version: "2.0", Metadata: pkg.JavaMetadata{ - VirtualPath: "some-parent-virtual-path", + VirtualPath: []string{"some-parent-virtual-path"}, Manifest: nil, PomProperties: nil, Parent: nil, @@ -797,7 +797,7 @@ func Test_newPackageFromMavenData(t *testing.T) { Version: "2.0", Type: pkg.JavaPkg, Metadata: pkg.JavaMetadata{ - VirtualPath: "some-parent-virtual-path", + VirtualPath: []string{"some-parent-virtual-path"}, Manifest: nil, PomProperties: nil, Parent: nil, @@ -809,7 +809,7 @@ func Test_newPackageFromMavenData(t *testing.T) { Version: "2.0", Type: pkg.JavaPkg, Metadata: pkg.JavaMetadata{ - VirtualPath: "some-parent-virtual-path", + VirtualPath: []string{"some-parent-virtual-path"}, Manifest: nil, // note: we attach the discovered pom properties data PomProperties: &pkg.PomProperties{ @@ -836,7 +836,7 @@ func Test_newPackageFromMavenData(t *testing.T) { Version: "2.0", Type: pkg.JavaPkg, Metadata: pkg.JavaMetadata{ - VirtualPath: "some-parent-virtual-path", + VirtualPath: []string{"some-parent-virtual-path"}, Manifest: nil, PomProperties: nil, Parent: nil, @@ -847,7 +847,7 @@ func Test_newPackageFromMavenData(t *testing.T) { Version: "2.0", Type: pkg.JenkinsPluginPkg, Metadata: pkg.JavaMetadata{ - VirtualPath: "some-parent-virtual-path", + VirtualPath: []string{"some-parent-virtual-path"}, Manifest: nil, // note: we attach the discovered pom properties data PomProperties: &pkg.PomProperties{ @@ -874,7 +874,7 @@ func Test_newPackageFromMavenData(t *testing.T) { Version: "", // note: empty, so should not be matched on Type: pkg.JavaPkg, Metadata: pkg.JavaMetadata{ - VirtualPath: virtualPath, // note: matching virtual path + VirtualPath: []string{virtualPath}, // note: matching virtual path Manifest: nil, PomProperties: nil, Parent: nil, @@ -885,7 +885,7 @@ func Test_newPackageFromMavenData(t *testing.T) { Version: "3.0", Type: pkg.JavaPkg, Metadata: pkg.JavaMetadata{ - VirtualPath: virtualPath, + VirtualPath: []string{virtualPath}, Manifest: nil, // note: we attach the discovered pom properties data PomProperties: &pkg.PomProperties{ @@ -912,7 +912,7 @@ func Test_newPackageFromMavenData(t *testing.T) { Version: "2.0", Type: pkg.JavaPkg, Metadata: pkg.JavaMetadata{ - VirtualPath: virtualPath + ":NEW_VIRTUAL_PATH", // note: DOES NOT match the existing virtual path + VirtualPath: []string{virtualPath + ":NEW_VIRTUAL_PATH"}, // note: DOES NOT match the existing virtual path Manifest: nil, PomProperties: nil, Parent: nil, @@ -924,7 +924,7 @@ func Test_newPackageFromMavenData(t *testing.T) { Version: "NOT_THE_PARENT_VERSION", // note: the version is updated from pom properties Type: pkg.JavaPkg, Metadata: pkg.JavaMetadata{ - VirtualPath: virtualPath + ":NEW_VIRTUAL_PATH", + VirtualPath: []string{virtualPath + ":NEW_VIRTUAL_PATH"}, Manifest: nil, // note: we attach the discovered pom properties data PomProperties: &pkg.PomProperties{ diff --git a/syft/pkg/cataloger/java/package_url_test.go b/syft/pkg/cataloger/java/package_url_test.go index b3785a4dfca..0dbb19a5cdd 100644 --- a/syft/pkg/cataloger/java/package_url_test.go +++ b/syft/pkg/cataloger/java/package_url_test.go @@ -21,7 +21,7 @@ func Test_packageURL(t *testing.T) { Type: pkg.JavaPkg, MetadataType: pkg.JavaMetadataType, Metadata: pkg.JavaMetadata{ - VirtualPath: "test-fixtures/java-builds/packages/example-java-app-maven-0.1.0.jar", + VirtualPath: []string{"test-fixtures/java-builds/packages/example-java-app-maven-0.1.0.jar"}, Manifest: &pkg.JavaManifest{ Main: map[string]string{ "Manifest-Version": "1.0", diff --git a/syft/pkg/cataloger/java/parse_pom_xml.go b/syft/pkg/cataloger/java/parse_pom_xml.go index b343c8f46d3..2febbc533ca 100644 --- a/syft/pkg/cataloger/java/parse_pom_xml.go +++ b/syft/pkg/cataloger/java/parse_pom_xml.go @@ -57,6 +57,7 @@ func newPomProject(path string, p gopom.Project) *pkg.PomProject { } func newPackageFromPom(dep gopom.Dependency) *pkg.Package { + vp := make([]string, 0) p := &pkg.Package{ Name: dep.ArtifactID, Version: dep.Version, @@ -65,13 +66,21 @@ func newPackageFromPom(dep gopom.Dependency) *pkg.Package { MetadataType: pkg.JavaMetadataType, FoundBy: javaPomCataloger, Metadata: pkg.JavaMetadata{ + VirtualPath: vp, PomProperties: &pkg.PomProperties{ GroupID: dep.GroupID, }, }, } - p.Metadata = pkg.JavaMetadata{PURL: packageURL(*p)} + p.Metadata = pkg.JavaMetadata{ + VirtualPath: vp, + PURL: packageURL(*p), + PomProperties: &pkg.PomProperties{ + GroupID: dep.GroupID, + Extra: make(map[string]string), + }, + } return p } diff --git a/syft/pkg/java_metadata.go b/syft/pkg/java_metadata.go index 779845b5461..2327cf9baec 100644 --- a/syft/pkg/java_metadata.go +++ b/syft/pkg/java_metadata.go @@ -20,11 +20,11 @@ var jenkinsPluginPomPropertiesGroupIDs = []string{ // JavaMetadata encapsulates all Java ecosystem metadata for a package as well as an (optional) parent relationship. type JavaMetadata struct { - VirtualPath string `json:"virtualPath" cyclonedx:"virtualPath"` // we need to include the virtual path in cyclonedx documents to prevent deduplication of jars within jars + VirtualPath []string `hash:"ignore" json:"virtualPath" cyclonedx:"virtualPath"` // we need to include the virtual path in cyclonedx documents to prevent deduplication of jars within jars Manifest *JavaManifest `mapstructure:"Manifest" json:"manifest,omitempty"` PomProperties *PomProperties `mapstructure:"PomProperties" json:"pomProperties,omitempty" cyclonedx:"-"` PomProject *PomProject `mapstructure:"PomProject" json:"pomProject,omitempty"` - ArchiveDigests []file.Digest `hash:"ignore" json:"digest,omitempty"` + ArchiveDigests []file.Digest `json:"digest,omitempty"` PURL string `hash:"ignore" json:"-"` // pURLs and CPEs are ignored for package IDs Parent *Package `hash:"ignore" json:"-"` // note: the parent cannot be included in the minimal definition of uniqueness since this field is not reproducible in an encode-decode cycle (is lossy). } diff --git a/syft/pkg/package.go b/syft/pkg/package.go index ccfbbb01f48..fc9e873be87 100644 --- a/syft/pkg/package.go +++ b/syft/pkg/package.go @@ -18,7 +18,7 @@ type Package struct { Name string // the package name Version string // the version of the package FoundBy string `cyclonedx:"foundBy"` // the specific cataloger that discovered this package - Locations source.LocationSet // the locations that lead to the discovery of this package (note: this is not necessarily the locations that make up this package) + Locations source.LocationSet `hash:"ignore"` // the locations that lead to the discovery of this package (note: this is not necessarily the locations that make up this package) Licenses []string // licenses discovered with the package metadata Language Language `cyclonedx:"language"` // the language ecosystem this package belongs to (e.g. JavaScript, Python, etc) Type Type `cyclonedx:"type"` // the package type (e.g. Npm, Yarn, Python, Rpm, Deb, etc) @@ -55,6 +55,7 @@ func (p *Package) merge(other Package) error { if p.id != other.id { return fmt.Errorf("cannot merge packages with different IDs: %q vs %q", p.id, other.id) } + if p.PURL != other.PURL { log.Warnf("merging packages have with different pURLs: %q=%q vs %q=%q", p.id, p.PURL, other.id, other.PURL) } @@ -66,6 +67,15 @@ func (p *Package) merge(other Package) error { if p.PURL == "" { p.PURL = other.PURL } + + if p.MetadataType == JavaMetadataType { + virtualPaths := p.Metadata.(JavaMetadata).VirtualPath + virtualPaths = append(virtualPaths, other.Metadata.(JavaMetadata).VirtualPath...) + if t, ok := p.Metadata.(JavaMetadata); ok { + t.VirtualPath = virtualPaths + p.Metadata = t + } + } return nil } diff --git a/syft/pkg/package_test.go b/syft/pkg/package_test.go index 7c3246a08ce..70eb5ae2f45 100644 --- a/syft/pkg/package_test.go +++ b/syft/pkg/package_test.go @@ -99,16 +99,6 @@ func TestIDUniqueness(t *testing.T) { }, expectedIDComparison: assert.NotEqual, }, - { - name: "location is reflected", - transform: func(pkg Package) Package { - locations := source.NewLocationSet(pkg.Locations.ToSlice()...) - locations.Add(source.NewLocation("/somewhere/new")) - pkg.Locations = locations - return pkg - }, - expectedIDComparison: assert.NotEqual, - }, { name: "same path for different filesystem is NOT reflected", transform: func(pkg Package) Package { diff --git a/test/integration/catalog_packages_cases_test.go b/test/integration/catalog_packages_cases_test.go index 512461105a2..29818285f80 100644 --- a/test/integration/catalog_packages_cases_test.go +++ b/test/integration/catalog_packages_cases_test.go @@ -191,9 +191,11 @@ var dirOnlyTestCases = []testCase{ }, }, { - name: "find apkdb packages", - pkgType: pkg.ApkPkg, - duplicates: 2, // when the directory is cataloged we have duplicates between lib/ and pkgs/lib + name: "find apkdb packages", + pkgType: pkg.ApkPkg, + // when the directory is cataloged we have duplicates between lib/ and pkgs/lib however + // we don't want to count them since location data is merged, showing the same package in both locations + duplicates: 0, pkgInfo: map[string]string{ "musl-utils": "1.1.24-r2", "libc-utils": "0.7.2-r0", diff --git a/test/integration/catalog_packages_test.go b/test/integration/catalog_packages_test.go index 71f5e0c8eb2..1fe67b36c94 100644 --- a/test/integration/catalog_packages_test.go +++ b/test/integration/catalog_packages_test.go @@ -124,7 +124,7 @@ func TestPkgCoverageImage(t *testing.T) { for a := range sbom.Artifacts.PackageCatalog.Enumerate(c.pkgType) { t.Log(" ", a) } - t.Fatalf("unexpected package count: %d!=%d", pkgCount, len(c.pkgInfo)) + t.Fatalf("unexpected package count: %d!=%d + duplicates:%d", pkgCount, len(c.pkgInfo), c.duplicates) } })