Allow extra scanners to be configured

fixes #109
docker · Dec 9, 2024 · 39535d7 · 39535d7
1 parent 747aaae
commit 39535d7
Show file tree

Hide file tree

Showing 6 changed files with 78 additions and 5 deletions.
diff --git a/examples/npm-lock/.dockerignore b/examples/npm-lock/.dockerignore
@@ -0,0 +1 @@
+/build/
diff --git a/examples/npm-lock/Dockerfile b/examples/npm-lock/Dockerfile
@@ -0,0 +1,19 @@
+# syntax=docker/dockerfile:1
+
+# Copyright 2022 buildkit-syft-scanner authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM scratch
+
+COPY package-lock.json /package-lock.json
diff --git a/examples/npm-lock/checks/sbom.spdx.json b/examples/npm-lock/checks/sbom.spdx.json
@@ -0,0 +1,18 @@
+{
+  "_type": "https://in-toto.io/Statement/v0.1",
+  "predicateType": "https://spdx.dev/Document",
+  "predicate": {
+    "SPDXID": "SPDXRef-DOCUMENT",
+    "name": "sbom",
+    "packages": [
+      {
+        "SPDXID": "=package",
+        "name": "lodash"
+      },
+      {
+        "SPDXID": "=package",
+        "name": "npm"
+      }
+    ]
+  }
+}
diff --git a/examples/npm-lock/package-lock.json b/examples/npm-lock/package-lock.json
diff --git a/hack/check-example.sh b/hack/check-example.sh
@@ -21,7 +21,13 @@ GENERATOR=$1
 for example in "${@:2}"; do
   example=$(basename "$example")
   echo "[-] Building example ${example}..."
-  docker buildx build "./examples/${example}" --sbom=generator="${GENERATOR}" --output="./examples/${example}/build"
+
+  if [[ ${example} == "npm-lock" ]]; then
+     docker buildx build "./examples/${example}" --sbom="generator=${GENERATOR},SELECT_CATALOGERS=+javascript-lock-cataloger" --output="./examples/${example}/build"
+  else
+     docker buildx build "./examples/${example}" --sbom="generator=${GENERATOR}" --output="./examples/${example}/build"
+  fi
+
 
   echo "[-] Checking example ${example}..."
   for file in "./examples/${example}"/checks/*.json; do

diff --git a/internal/target.go b/internal/target.go
@@ -17,7 +17,9 @@ package internal
 import (
 	"context"
 	"fmt"
+	"os"
 	"path/filepath"
+	"strings"
 
 	"github.com/anchore/syft/syft"
 	"github.com/anchore/syft/syft/cataloging/pkgcataloging"
@@ -43,14 +45,19 @@ func (t Target) Scan(ctx context.Context) (sbom.SBOM, error) {
 		return sbom.SBOM{}, fmt.Errorf("failed to get source from %q: %w", t.Path, err)
 	}
 
+	sr := pkgcataloging.NewSelectionRequest().
+		WithDefaults(pkgcataloging.ImageTag).
+		WithAdditions("sbom-cataloger")
+
+	if v, ok := os.LookupEnv("BUILDKIT_SCAN_SELECT_CATALOGERS"); ok {
+		sr = pkgcataloging.NewSelectionRequest().WithExpression(strings.Split(v, ",")...)
+	}
+
 	result, err := syft.CreateSBOM(
 		ctx,
 		src,
 		syft.DefaultCreateSBOMConfig().
-			WithCatalogerSelection(
-				pkgcataloging.NewSelectionRequest().
-					WithDefaults(pkgcataloging.ImageTag).
-					WithAdditions("sbom-cataloger")))
+			WithCatalogerSelection(sr))
 	if err != nil {
 		return sbom.SBOM{}, err
 	}