From 39535d77e3540241f04ef3d1509bf8f5374e537b Mon Sep 17 00:00:00 2001
From: Christian Dupuis <cd@docker.com>
Date: Mon, 9 Dec 2024 18:11:55 +0100
Subject: [PATCH] Allow extra scanners to be configured

fixes #109
---
 examples/npm-lock/.dockerignore         |  1 +
 examples/npm-lock/Dockerfile            | 19 +++++++++++++++++++
 examples/npm-lock/checks/sbom.spdx.json | 18 ++++++++++++++++++
 examples/npm-lock/package-lock.json     | 22 ++++++++++++++++++++++
 hack/check-example.sh                   |  8 +++++++-
 internal/target.go                      | 15 +++++++++++----
 6 files changed, 78 insertions(+), 5 deletions(-)
 create mode 100644 examples/npm-lock/.dockerignore
 create mode 100644 examples/npm-lock/Dockerfile
 create mode 100644 examples/npm-lock/checks/sbom.spdx.json
 create mode 100644 examples/npm-lock/package-lock.json

diff --git a/examples/npm-lock/.dockerignore b/examples/npm-lock/.dockerignore
new file mode 100644
index 00000000..f3d6549d
--- /dev/null
+++ b/examples/npm-lock/.dockerignore
@@ -0,0 +1 @@
+/build/
\ No newline at end of file
diff --git a/examples/npm-lock/Dockerfile b/examples/npm-lock/Dockerfile
new file mode 100644
index 00000000..0c93b747
--- /dev/null
+++ b/examples/npm-lock/Dockerfile
@@ -0,0 +1,19 @@
+# syntax=docker/dockerfile:1
+
+# Copyright 2022 buildkit-syft-scanner authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM scratch
+
+COPY package-lock.json /package-lock.json
\ No newline at end of file
diff --git a/examples/npm-lock/checks/sbom.spdx.json b/examples/npm-lock/checks/sbom.spdx.json
new file mode 100644
index 00000000..4d76999a
--- /dev/null
+++ b/examples/npm-lock/checks/sbom.spdx.json
@@ -0,0 +1,18 @@
+{
+  "_type": "https://in-toto.io/Statement/v0.1",
+  "predicateType": "https://spdx.dev/Document",
+  "predicate": {
+    "SPDXID": "SPDXRef-DOCUMENT",
+    "name": "sbom",
+    "packages": [
+      {
+        "SPDXID": "=package",
+        "name": "lodash"
+      },
+      {
+        "SPDXID": "=package",
+        "name": "npm"
+      }
+    ]
+  }
+}
\ No newline at end of file
diff --git a/examples/npm-lock/package-lock.json b/examples/npm-lock/package-lock.json
new file mode 100644
index 00000000..19e03529
--- /dev/null
+++ b/examples/npm-lock/package-lock.json
@@ -0,0 +1,22 @@
+{
+  "name": "npm",
+  "version": "1.0.0",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {
+    "": {
+      "name": "npm",
+      "version": "1.0.0",
+      "license": "ISC",
+      "dependencies": {
+        "lodash": "^4.17.21"
+      }
+    },
+    "node_modules/lodash": {
+      "version": "4.17.21",
+      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
+      "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==",
+      "license": "MIT"
+    }
+  }
+}
diff --git a/hack/check-example.sh b/hack/check-example.sh
index 0a8b7a53..92be4890 100755
--- a/hack/check-example.sh
+++ b/hack/check-example.sh
@@ -21,7 +21,13 @@ GENERATOR=$1
 for example in "${@:2}"; do
   example=$(basename "$example")
   echo "[-] Building example ${example}..."
-  docker buildx build "./examples/${example}" --sbom=generator="${GENERATOR}" --output="./examples/${example}/build"
+
+  if [[ ${example} == "npm-lock" ]]; then
+     docker buildx build "./examples/${example}" --sbom="generator=${GENERATOR},SELECT_CATALOGERS=+javascript-lock-cataloger" --output="./examples/${example}/build"
+  else
+     docker buildx build "./examples/${example}" --sbom="generator=${GENERATOR}" --output="./examples/${example}/build"
+  fi
+
 
   echo "[-] Checking example ${example}..."
   for file in "./examples/${example}"/checks/*.json; do
diff --git a/internal/target.go b/internal/target.go
index 82dd4abf..60d09860 100644
--- a/internal/target.go
+++ b/internal/target.go
@@ -17,7 +17,9 @@ package internal
 import (
 	"context"
 	"fmt"
+	"os"
 	"path/filepath"
+	"strings"
 
 	"github.com/anchore/syft/syft"
 	"github.com/anchore/syft/syft/cataloging/pkgcataloging"
@@ -43,14 +45,19 @@ func (t Target) Scan(ctx context.Context) (sbom.SBOM, error) {
 		return sbom.SBOM{}, fmt.Errorf("failed to get source from %q: %w", t.Path, err)
 	}
 
+	sr := pkgcataloging.NewSelectionRequest().
+		WithDefaults(pkgcataloging.ImageTag).
+		WithAdditions("sbom-cataloger")
+
+	if v, ok := os.LookupEnv("BUILDKIT_SCAN_SELECT_CATALOGERS"); ok {
+		sr = pkgcataloging.NewSelectionRequest().WithExpression(strings.Split(v, ",")...)
+	}
+
 	result, err := syft.CreateSBOM(
 		ctx,
 		src,
 		syft.DefaultCreateSBOMConfig().
-			WithCatalogerSelection(
-				pkgcataloging.NewSelectionRequest().
-					WithDefaults(pkgcataloging.ImageTag).
-					WithAdditions("sbom-cataloger")))
+			WithCatalogerSelection(sr))
 	if err != nil {
 		return sbom.SBOM{}, err
 	}