1 | | - | package pkg |
2 | | - | |
3 | | - | import ( |
4 | | - | "encoding/json" |
5 | | - | "fmt" |
6 | | - | "io" |
7 | | - | "os" |
8 | | - | "strings" |
9 | | - | |
10 | | - | "github.com/anchore/grype/internal/log" |
11 | | - | |
12 | | - | "github.com/anchore/grype/grype/cpe" |
13 | | - | "github.com/anchore/syft/syft/distro" |
14 | | - | "github.com/anchore/syft/syft/pkg" |
15 | | - | "github.com/anchore/syft/syft/source" |
16 | | - | "github.com/mitchellh/go-homedir" |
17 | | - | ) |
18 | | - | |
19 | | - | type syftSource struct { |
20 | | - | Type string `json:"type"` |
21 | | - | Target interface{} `json:"target"` |
22 | | - | } |
23 | | - | |
24 | | - | // syftSourceUnpacker is used to unmarshal Source objects |
25 | | - | type syftSourceUnpacker struct { |
26 | | - | Type string `json:"type"` |
27 | | - | Target json.RawMessage `json:"target"` |
28 | | - | } |
29 | | - | |
30 | | - | // UnmarshalJSON populates a source object from JSON bytes. |
31 | | - | func (s *syftSource) UnmarshalJSON(b []byte) error { |
32 | | - | var unpacker syftSourceUnpacker |
33 | | - | if err := json.Unmarshal(b, &unpacker); err != nil { |
34 | | - | return err |
35 | | - | } |
36 | | - | |
37 | | - | s.Type = unpacker.Type |
38 | | - | |
39 | | - | switch s.Type { |
40 | | - | case "directory": |
41 | | - | s.Target = string(unpacker.Target[:]) |
42 | | - | case "image": |
43 | | - | var payload source.ImageMetadata |
44 | | - | if err := json.Unmarshal(unpacker.Target, &payload); err != nil { |
45 | | - | return err |
46 | | - | } |
47 | | - | s.Target = payload |
48 | | - | default: |
49 | | - | return fmt.Errorf("unsupported package metadata type: %+v", s.Type) |
50 | | - | } |
51 | | - | |
52 | | - | return nil |
53 | | - | } |
54 | | - | |
55 | | - | // ToSourceMetadata takes a syftSource object represented from JSON and creates a source.Metadata object. |
56 | | - | func (s *syftSource) toSourceMetadata() source.Metadata { |
57 | | - | var m source.Metadata |
58 | | - | switch s.Type { |
59 | | - | case "directory": |
60 | | - | m.Scheme = source.DirectoryScheme |
61 | | - | m.Path = s.Target.(string) |
62 | | - | case "image": |
63 | | - | m.Scheme = source.ImageScheme |
64 | | - | m.ImageMetadata = s.Target.(source.ImageMetadata) |
65 | | - | } |
66 | | - | return m |
67 | | - | } |
68 | | - | |
69 | | - | type syftDistribution struct { |
70 | | - | Name string `json:"name"` // Name of the Linux syftDistribution |
71 | | - | Version string `json:"version"` // Version of the Linux syftDistribution (major or major.minor version) |
72 | | - | IDLike string `json:"idLike"` // the ID_LIKE field found within the /etc/os-release file |
73 | | - | } |
74 | | - | |
75 | | - | // partialSyftDoc is the final package shape for a select elements from a syft JSON document. |
76 | | - | type partialSyftDoc struct { |
77 | | - | Source syftSource `json:"source"` |
78 | | - | Artifacts []partialSyftPackage `json:"artifacts"` |
79 | | - | Distro syftDistribution `json:"distro"` |
80 | | - | } |
81 | | - | |
82 | | - | // partialSyftPackage is the final package shape for a select elements from a syft JSON package. |
83 | | - | type partialSyftPackage struct { |
84 | | - | packageBasicMetadata |
85 | | - | packageCustomMetadata |
86 | | - | } |
87 | | - | |
88 | | - | // packageBasicMetadata contains non-ambiguous values (type-wise) from pkg.Package. |
89 | | - | type packageBasicMetadata struct { |
90 | | - | ID string `json:"id"` |
91 | | - | Name string `json:"name"` |
92 | | - | Version string `json:"version"` |
93 | | - | Type pkg.Type `json:"type"` |
94 | | - | Locations []source.Location `json:"locations"` |
95 | | - | Licenses []string `json:"licenses"` |
96 | | - | Language pkg.Language `json:"language"` |
97 | | - | CPEs []string `json:"cpes"` |
98 | | - | PURL string `json:"purl"` |
99 | | - | } |
100 | | - | |
101 | | - | // packageCustomMetadata contains ambiguous values (type-wise) from pkg.Package. |
102 | | - | type packageCustomMetadata struct { |
103 | | - | MetadataType pkg.MetadataType `json:"metadataType"` |
104 | | - | Metadata interface{} `json:"metadata"` |
105 | | - | } |
106 | | - | |
107 | | - | // packageMetadataUnpacker is all values needed from Package to disambiguate ambiguous fields during json unmarshaling. |
108 | | - | type packageMetadataUnpacker struct { |
109 | | - | MetadataType pkg.MetadataType `json:"metadataType"` |
110 | | - | Metadata json.RawMessage `json:"metadata"` |
111 | | - | } |
112 | | - | |
113 | | - | func (p *packageMetadataUnpacker) String() string { |
114 | | - | return fmt.Sprintf("metadataType: %s, metadata: %s", p.MetadataType, string(p.Metadata)) |
115 | | - | } |
116 | | - | |
117 | | - | // partialSyftJavaMetadata encapsulates all Java ecosystem metadata for a package as well as an (optional) parent relationship. |
118 | | - | type partialSyftJavaMetadata struct { |
119 | | - | VirtualPath string `mapstructure:"VirtualPath" json:"virtualPath"` |
120 | | - | Manifest *partialSyftJavaManifest `mapstructure:"Manifest" json:"manifest,omitempty"` |
121 | | - | PomProperties *partialSyftPomProperties `mapstructure:"PomProperties" json:"pomProperties,omitempty"` |
122 | | - | } |
123 | | - | |
124 | | - | // partialSyftPomProperties represents the fields of interest extracted from a Java archive's pom.xml file. |
125 | | - | type partialSyftPomProperties struct { |
126 | | - | GroupID string `mapstructure:"groupId" json:"groupId"` |
127 | | - | ArtifactID string `mapstructure:"artifactId" json:"artifactId"` |
128 | | - | } |
129 | | - | |
130 | | - | // partialSyftJavaManifest represents the fields of interest extracted from a Java archive's META-INF/MANIFEST.MF file. |
131 | | - | type partialSyftJavaManifest struct { |
132 | | - | Main map[string]string `json:"main,omitempty"` |
133 | | - | } |
134 | | - | |
135 | | - | // String returns the stringer representation for a syft package. |
136 | | - | func (p partialSyftPackage) String() string { |
137 | | - | return fmt.Sprintf("Pkg(type=%s, name=%s, version=%s)", p.Type, p.Name, p.Version) |
138 | | - | } |
139 | | - | |
140 | | - | // UnmarshalJSON is a custom unmarshaller for handling basic values and values with ambiguous types. |
141 | | - | func (p *partialSyftPackage) UnmarshalJSON(b []byte) error { |
142 | | - | var basic packageBasicMetadata |
143 | | - | if err := json.Unmarshal(b, &basic); err != nil { |
144 | | - | return err |
145 | | - | } |
146 | | - | p.packageBasicMetadata = basic |
147 | | - | |
148 | | - | var unpacker packageMetadataUnpacker |
149 | | - | if err := json.Unmarshal(b, &unpacker); err != nil { |
150 | | - | log.Warnf("failed to unmarshall into packageMetadataUnpacker: %v", err) |
151 | | - | return err |
152 | | - | } |
153 | | - | |
154 | | - | p.MetadataType = unpacker.MetadataType |
155 | | - | |
156 | | - | switch p.MetadataType { |
157 | | - | case pkg.ApkMetadataType: |
158 | | - | var payload ApkMetadata |
159 | | - | if err := json.Unmarshal(unpacker.Metadata, &payload); err != nil { |
160 | | - | return err |
161 | | - | } |
162 | | - | p.Metadata = payload |
163 | | - | case pkg.RpmdbMetadataType: |
164 | | - | var payload RpmdbMetadata |
165 | | - | if err := json.Unmarshal(unpacker.Metadata, &payload); err != nil { |
166 | | - | return err |
167 | | - | } |
168 | | - | p.Metadata = payload |
169 | | - | case pkg.DpkgMetadataType: |
170 | | - | var payload DpkgMetadata |
171 | | - | if err := json.Unmarshal(unpacker.Metadata, &payload); err != nil { |
172 | | - | return err |
173 | | - | } |
174 | | - | p.Metadata = payload |
175 | | - | case pkg.JavaMetadataType: |
176 | | - | var partialPayload partialSyftJavaMetadata |
177 | | - | if err := json.Unmarshal(unpacker.Metadata, &partialPayload); err != nil { |
178 | | - | return err |
179 | | - | } |
180 | | - | |
181 | | - | var artifact, group, name string |
182 | | - | if partialPayload.PomProperties != nil { |
183 | | - | artifact = partialPayload.PomProperties.ArtifactID |
184 | | - | group = partialPayload.PomProperties.GroupID |
185 | | - | } |
186 | | - | |
187 | | - | if partialPayload.Manifest != nil { |
188 | | - | if n, ok := partialPayload.Manifest.Main["Name"]; ok { |
189 | | - | name = n |
190 | | - | } |
191 | | - | } |
192 | | - | |
193 | | - | p.Metadata = JavaMetadata{ |
194 | | - | VirtualPath: partialPayload.VirtualPath, |
195 | | - | PomArtifactID: artifact, |
196 | | - | PomGroupID: group, |
197 | | - | ManifestName: name, |
198 | | - | } |
199 | | - | } |
200 | | - | |
201 | | - | return nil |
202 | | - | } |
203 | | - | |
204 | | - | // parseSyftJSON attempts to loosely parse the available JSON for only the fields needed, not the exact syft JSON shape. |
205 | | - | // This allows for some resiliency as the syft document shape changes over time (but not fool-proof). |
206 | | - | func parseSyftJSON(reader io.Reader) ([]Package, Context, error) { |
207 | | - | var doc partialSyftDoc |
208 | | - | decoder := json.NewDecoder(reader) |
209 | | - | if err := decoder.Decode(&doc); err != nil { |
210 | | - | return nil, Context{}, errDoesNotProvide |
211 | | - | } |
212 | | - | |
213 | | - | var packages = make([]Package, len(doc.Artifacts)) |
214 | | - | for i, a := range doc.Artifacts { |
215 | | - | cpes, err := cpe.NewSlice(a.CPEs...) |
216 | | - | if err != nil { |
217 | | - | return nil, Context{}, err |
218 | | - | } |
219 | | - | |
220 | | - | packages[i] = Package{ |
221 | | - | ID: ID(a.ID), |
222 | | - | Name: a.Name, |
223 | | - | Version: a.Version, |
224 | | - | Locations: a.Locations, |
225 | | - | Language: a.Language, |
226 | | - | Licenses: a.Licenses, |
227 | | - | Type: a.Type, |
228 | | - | CPEs: cpes, |
229 | | - | PURL: a.PURL, |
230 | | - | Metadata: a.Metadata, |
231 | | - | } |
232 | | - | } |
233 | | - | |
234 | | - | var theDistro *distro.Distro |
235 | | - | if doc.Distro.Name != "" { |
236 | | - | d, err := distro.NewDistro(distro.Type(doc.Distro.Name), doc.Distro.Version, doc.Distro.IDLike) |
237 | | - | if err != nil { |
238 | | - | return nil, Context{}, err |
239 | | - | } |
240 | | - | theDistro = &d |
241 | | - | } |
242 | | - | |
243 | | - | srcMetadata := doc.Source.toSourceMetadata() |
244 | | - | |
245 | | - | return packages, Context{ |
246 | | - | Source: &srcMetadata, |
247 | | - | Distro: theDistro, |
248 | | - | }, nil |
249 | | - | } |
250 | | - | |
251 | | - | // syftJSONProvider extracts the necessary package and package context from syft JSON output. Note that this process carves out |
252 | | - | // only the necessary data needed and does not require unmarshalling the entire syft JSON data shape so this function is somewhat |
253 | | - | // resilient to multiple syft JSON schemas (to a degree). |
254 | | - | // TODO: add version detection and multi-parser support (when needed in the future) |
255 | | - | func syftJSONProvider(config providerConfig) ([]Package, Context, error) { |
256 | | - | reader, err := getSyftJSON(config) |
257 | | - | if err != nil { |
258 | | - | return nil, Context{}, err |
259 | | - | } |
260 | | - | |
261 | | - | return parseSyftJSON(reader) |
262 | | - | } |
263 | | - | |
264 | | - | func getSyftJSON(config providerConfig) (io.Reader, error) { |
265 | | - | if config.reader != nil { |
266 | | - | // the caller has explicitly indicated to use the given reader as input |
267 | | - | return config.reader, nil |
268 | | - | } |
269 | | - | |
270 | | - | if explicitlySpecifyingSBOM(config.userInput) { |
271 | | - | filepath := strings.TrimPrefix(config.userInput, "sbom:") |
272 | | - | |
273 | | - | sbom, err := openSbom(filepath) |
274 | | - | if err != nil { |
275 | | - | return nil, fmt.Errorf("unable to use specified SBOM: %w", err) |
276 | | - | } |
277 | | - | |
278 | | - | return sbom, nil |
279 | | - | } |
280 | | - | |
281 | | - | // as a last resort, see if the raw user input specified an SBOM file |
282 | | - | sbom, err := openSbom(config.userInput) |
283 | | - | if err == nil { |
284 | | - | return sbom, nil |
285 | | - | } |
286 | | - | |
287 | | - | // no usable SBOM is available |
288 | | - | return nil, errDoesNotProvide |
289 | | - | } |
290 | | - | |
291 | | - | func openSbom(path string) (*os.File, error) { |
292 | | - | expandedPath, err := homedir.Expand(path) |
293 | | - | if err != nil { |
294 | | - | return nil, fmt.Errorf("unable to open SBOM: %w", err) |
295 | | - | } |
296 | | - | |
297 | | - | sbom, err := os.Open(expandedPath) |
298 | | - | if err != nil { |
299 | | - | return nil, fmt.Errorf("unable to open SBOM: %w", err) |
300 | | - | } |
301 | | - | |
302 | | - | return sbom, nil |
303 | | - | } |
304 | | - | |
305 | | - | func explicitlySpecifyingSBOM(userInput string) bool { |
306 | | - | return strings.HasPrefix(userInput, "sbom:") |
307 | | - | } |
308 | | - | |