feat: Add the origin field to the output format of syftjson #1327
Conversation
There was a problem hiding this comment.
Thanks for the contribution @asi-cider! It looks like this Origin field is specific to NPM packages and as such should not be added to the main pkg.Package but rather the appropriate metadata type. In this case we probably need a new metadata type, something like PackageLockPackageMetadata, which is set when creating the package, which contains the Origin field. An example metadata type is here.
I think this change would also reduce some of the conflicts, as it stands there are a number of conflicts to resolve if you are able to.
Hey @kzantow, thanks for the response. This field exists in some form or another in all kinds of lock files. Currently I've add this for npm and pipfile but I intend to add this for more ecosystems. Do you still think it should be added as metadata field? |
|
@asi-cider I agree with @kzantow on this one. Though there are some similarities between different package managers on this field, at this time I think keeping this kind of field in the |
Sure i'll add that in |
|
Hey @kzantow and @wagoodman, |
|
Hey @kzantow, Could you guide me on how to fix the unit tests? |
|
Hey @kzantow @wagoodman, could you please help? |
|
@asi-cider I'll have a look today, but there's a conflict that needs to be dealt with -- are you able to merge the latest |
|
I can help out with the git conflicts and other updates |
Signed-off-by: Asaf Greenholts <[email protected]>
Signed-off-by: Asaf Greenholts <[email protected]>
Signed-off-by: Asaf Greenholts <[email protected]>
Signed-off-by: Alex Goodman <[email protected]>
Signed-off-by: Alex Goodman <[email protected]>
|
I rebased on main and made the following changes:
|
…1327) * moved the relevant fields to the Metadata field Signed-off-by: Asaf Greenholts <[email protected]> * added metadata types Signed-off-by: Asaf Greenholts <[email protected]> * Added hashes to metadata of packge-lock.json and Pipfile.lock Signed-off-by: Asaf Greenholts <[email protected]> * move package metadata types to "pkg" package Signed-off-by: Alex Goodman <[email protected]> * re-generate json schema to include new npm, python, and binary metadatas Signed-off-by: Alex Goodman <[email protected]> Signed-off-by: Asaf Greenholts <[email protected]> Signed-off-by: Alex Goodman <[email protected]> Co-authored-by: Alex Goodman <[email protected]>
This PR adds the origin field to the output format of syftjson when parsing “package-lock.json” or “Pipfile.lock”. The origin field can be useful in tracking the origin of downloaded packages in case of a security incident. The origin field contains the URL used to download an artifact according to the appropriate lock file. For example, package-lock.json has the resolved field to indicate the url used to download the package.
I wasn’t able to find a way to update the golden files of the integration tests similarly to the argument in the unit test’s golden files. Could you please guide me on how to update them?
Changes to the golden files were done using the appropriate parameters of the test files.