Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add package for go compiler given binary detection #2195

Merged
merged 12 commits into from
Oct 6, 2023
Merged

feat: add package for go compiler given binary detection #2195

merged 12 commits into from
Oct 6, 2023

Conversation

spiffcs
Copy link
Contributor

@spiffcs spiffcs commented Oct 4, 2023
edited by wagoodman
Loading

Syft currently has a Golang binary cataloger. This PR adds a unique synthetic package to the SBOM output that represents the go compiler when detected as a part of the go binary cataloger.

When using an SBOM generated by syft - downstream vulnerability scanners now have the opportunity to detect/report on the PURL/CPEs attached to the new package.

One more piece of work should be doing a bit more string parsing on the go version to identify rc and other candidate releases to improve CPE generation. I'll make those changes before we review.

Closes #1853

@spiffcs spiffcs force-pushed the go-compiler-version branch from dbd651d to fb3afc9 Compare October 4, 2023 16:30
@spiffcs
fix: remove incidental wip commit
1ca17dd 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs spiffcs force-pushed the go-compiler-version branch from fb3afc9 to 1ca17dd Compare October 4, 2023 16:36
@spiffcs spiffcs force-pushed the go-compiler-version branch from eec4e80 to 5617c1b Compare October 5, 2023 12:55
@spiffcs spiffcs requested a review from wagoodman October 5, 2023 13:01
@spiffcs spiffcs marked this pull request as ready for review October 5, 2023 13:01
@spiffcs spiffcs force-pushed the go-compiler-version branch from a0dce54 to 0d0d16c Compare October 6, 2023 02:13
@spiffcs spiffcs added the blocked Progress is being stopped by something label Oct 6, 2023
@spiffcs
Copy link
Contributor Author

spiffcs commented Oct 6, 2023

Blocked on #2201

Will merge after review and 2201 is merged into main

@spiffcs
Merge branch 'main' into go-compiler-version
5a87a12 
* main:
  chore: update license list to 3.22 (#2201)
  Add exact syntax of the conversion formats (#2196)
  chore(deps): bump github.com/saferwall/pe from 1.4.6 to 1.4.7 (#2198)
  chore(deps): bump golang.org/x/mod from 0.12.0 to 0.13.0 (#2199)
  chore: removes unnecessary conditional (#2194)
@spiffcs spiffcs removed the blocked Progress is being stopped by something label Oct 6, 2023
wagoodman
wagoodman approved these changes Oct 6, 2023
View reviewed changes
Copy link
Contributor

@wagoodman wagoodman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🙌

@spiffcs spiffcs merged commit f6c8057 into main Oct 6, 2023
@spiffcs spiffcs deleted the go-compiler-version branch October 6, 2023 17:15
@spiffcs spiffcs mentioned this pull request Oct 9, 2023
Closed
@chenrui333 chenrui333 mentioned this pull request Oct 10, 2023
Merged
@westonsteimel westonsteimel mentioned this pull request Feb 16, 2024
Closed
GijsCalis pushed a commit to GijsCalis/syft that referenced this pull request Feb 19, 2024
@spiffcs
feat: add package for go compiler given binary detection (anchore#2195)
5fbaefc 
adds a unique synthetic package to the SBOM output that represents the go compiler when it is detected as a part of a package discovered by the go binary cataloger.

When using an SBOM generated by syft - downstream vulnerability scanners now have the opportunity to detect/report on the PURL/CPEs attached to the new stdlib package.
---------

Signed-off-by: Christopher Phillips <[email protected]>
@sunwhawhang sunwhawhang mentioned this pull request Apr 3, 2024
Open
@sunwhawhang sunwhawhang mentioned this pull request Apr 11, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wagoodman wagoodman wagoodman approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add Golang STD library package given a Golang binary has been discovered compiled with that go binary
2 participants
@spiffcs @wagoodman