STRLCPY/syft

chore: update spdx/tools-golang to v0.5.0-rc1 (#1503)
Keith Zantow committed with GitHub 1 year ago

1530ef35

1 parent cdac2245

Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)

■ ■ ■ ■ ■ ■

go.mod

		skipped 30 lines
31	31		github.com/scylladb/go-set v1.0.3-0.20200225121959-cc7b2070d91e
32	32		github.com/sergi/go-diff v1.3.1
33	33		github.com/sirupsen/logrus v1.9.0
34		-	github.com/spdx/tools-golang v0.4.0
	34	+	github.com/spdx/tools-golang v0.5.0-rc1
35	35		github.com/spf13/afero v1.9.3
36	36		github.com/spf13/cobra v1.6.1
37	37		github.com/spf13/pflag v1.0.5
		skipped 31 lines
69	69		github.com/Masterminds/goutils v1.1.1 // indirect
70	70		github.com/Masterminds/semver/v3 v3.2.0 // indirect
71	71		github.com/Microsoft/go-winio v0.6.0 // indirect
	72	+	github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 // indirect
72	73		github.com/containerd/containerd v1.6.12 // indirect
73	74		github.com/containerd/stargz-snapshotter/estargz v0.12.1 // indirect
74	75		github.com/davecgh/go-spew v1.1.1 // indirect
		skipped 85 lines

■ ■ ■ ■ ■ ■

go.sum

		skipped 137 lines
138	138		github.com/anchore/go-logger v0.0.0-20220728155337-03b66a5207d8/go.mod h1:+gPap4jha079qzRTUaehv+UZ6sSdaNwkH0D3b6zhTuk=
139	139		github.com/anchore/go-macholibre v0.0.0-20220308212642-53e6d0aaf6fb h1:iDMnx6LIjtjZ46C0akqveX83WFzhpTD3eqOthawb5vU=
140	140		github.com/anchore/go-macholibre v0.0.0-20220308212642-53e6d0aaf6fb/go.mod h1:DmTY2Mfcv38hsHbG78xMiTDdxFtkHpgYNVDPsF2TgHk=
	141	+	github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 h1:aM1rlcoLz8y5B2r4tTLMiVTrMtpfY0O8EScKJxaSaEc=
	142	+	github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092/go.mod h1:rYqSE9HbjzpHTI74vwPvae4ZVYZd1lue2ta6xHPdblA=
141	143		github.com/anchore/go-testutils v0.0.0-20200925183923-d5f45b0d3c04 h1:VzprUTpc0vW0nnNKJfJieyH/TZ9UYAnTZs5/gHTdAe8=
142	144		github.com/anchore/go-testutils v0.0.0-20200925183923-d5f45b0d3c04/go.mod h1:6dK64g27Qi1qGQZ67gFmBFvEHScy0/C8qhQhNe5B5pQ=
143	145		github.com/anchore/go-version v1.2.2-0.20200701162849-18adb9c92b9b h1:e1bmaoJfZVsCYMrIZBpFxwV26CbsuoEh5muXD5I1Ods=
		skipped 902 lines
1046	1048		github.com/soheilhy/cmux v0.1.5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE1GqG0=
1047	1049		github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
1048	1050		github.com/spdx/gordf v0.0.0-20201111095634-7098f93598fb/go.mod h1:uKWaldnbMnjsSAXRurWqqrdyZen1R7kxl8TkmWk2OyM=
1049		-	github.com/spdx/tools-golang v0.4.0 h1:jdhnW8zYelURCbYTphiviFKZkWu51in0E4A1KT2csP0=
1050		-	github.com/spdx/tools-golang v0.4.0/go.mod h1:VHzvNsKAfAGqs4ZvwRL+7a0dNsL20s7lGui4K9C0xQM=
	1051	+	github.com/spdx/tools-golang v0.5.0-rc1 h1:ooCSe48QatlidqEFd+nSI308tyeNTR6NJvauUj3ApX8=
	1052	+	github.com/spdx/tools-golang v0.5.0-rc1/go.mod h1:LI6onw172PdO57Ob/hgnLDD4Y2PMnroeNT3wO/2WJJI=
1051	1053		github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
1052	1054		github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
1053	1055		github.com/spf13/afero v1.3.3/go.mod h1:5KUK8ByomD5Ti5Artl0RtHeI5pTF7MIDuXL3yY520V4=
		skipped 893 lines

■ ■ ■ ■ ■ ■

syft/formats/common/spdxhelpers/to_format_model.go

		skipped 7 lines
8	8		"strings"
9	9		"time"
10	10
11		-	"github.com/spdx/tools-golang/spdx/common"
12		-	spdx "github.com/spdx/tools-golang/spdx/v2_3"
	11	+	"github.com/spdx/tools-golang/spdx"
13	12
14	13		"github.com/anchore/syft/internal"
15	14		"github.com/anchore/syft/internal/log"
		skipped 7 lines
23	22		)
24	23
25	24		const (
26		-	spdxVersion = "SPDX-2.3"
27	25		noAssertion = "NOASSERTION"
28	26		)
29	27
		skipped 10 lines
40	38		// for the primary package purpose field:
41	39		// https://spdx.github.io/spdx-spec/v2.3/package-information/#724-primary-package-purpose-field
42	40		documentDescribesRelationship := &spdx.Relationship{
43		-	RefA: common.DocElementID{
	41	+	RefA: spdx.DocElementID{
44	42		ElementRefID: "DOCUMENT",
45	43		},
46	44		Relationship: string(DescribesRelationship),
47		-	RefB: common.DocElementID{
	45	+	RefB: spdx.DocElementID{
48	46		ElementRefID: "DOCUMENT",
49	47		},
50	48		RelationshipComment: "",
		skipped 4 lines
55	53		return &spdx.Document{
56	54		// 6.1: SPDX Version; should be in the format "SPDX-x.x"
57	55		// Cardinality: mandatory, one
58		-	SPDXVersion: spdxVersion,
	56	+	SPDXVersion: spdx.Version,
59	57
60	58		// 6.2: Data License; should be "CC0-1.0"
61	59		// Cardinality: mandatory, one
62		-	DataLicense: "CC0-1.0",
	60	+	DataLicense: spdx.DataLicense,
63	61
64	62		// 6.3: SPDX Identifier; should be "DOCUMENT" to represent mandatory identifier of SPDXRef-DOCUMENT
65	63		// Cardinality: mandatory, one
		skipped 38 lines
104	102		// 6.8: Creators: may have multiple keys for Person, Organization
105	103		// and/or Tool
106	104		// Cardinality: mandatory, one or many
107		-	Creators: []common.Creator{
	105	+	Creators: []spdx.Creator{
108	106		{
109	107		Creator: "Anchore, Inc",
110	108		CreatorType: "Organization",
		skipped 18 lines
129	127		}
130	128		}
131	129
132		-	func toSPDXID(identifiable artifact.Identifiable) common.ElementID {
	130	+	func toSPDXID(identifiable artifact.Identifiable) spdx.ElementID {
133	131		id := ""
134	132		if p, ok := identifiable.(pkg.Package); ok {
135	133		id = SanitizeElementID(fmt.Sprintf("Package-%+v-%s-%s", p.Type, p.Name, p.ID()))
		skipped 1 lines
137	135		id = string(identifiable.ID())
138	136		}
139	137		// NOTE: the spdx libraries prepend SPDXRef-, so we don't do it here
140		-	return common.ElementID(id)
	138	+	return spdx.ElementID(id)
141	139		}
142	140
143	141		// packages populates all Package Information from the package Catalog (see https://spdx.github.io/spdx-spec/3-package-information/)
		skipped 169 lines
313	311		return results
314	312		}
315	313
316		-	func toPackageChecksums(p pkg.Package) ([]common.Checksum, bool) {
	314	+	func toPackageChecksums(p pkg.Package) ([]spdx.Checksum, bool) {
317	315		filesAnalyzed := false
318		-	var checksums []common.Checksum
	316	+	var checksums []spdx.Checksum
319	317		switch meta := p.Metadata.(type) {
320	318		// we generate digest for some Java packages
321	319		// spdx.github.io/spdx-spec/package-information/#710-package-checksum-field
		skipped 3 lines
325	323		filesAnalyzed = true
326	324		for _, digest := range meta.ArchiveDigests {
327	325		algo := strings.ToUpper(digest.Algorithm)
328		-	checksums = append(checksums, common.Checksum{
329		-	Algorithm: common.ChecksumAlgorithm(algo),
	326	+	checksums = append(checksums, spdx.Checksum{
	327	+	Algorithm: spdx.ChecksumAlgorithm(algo),
330	328		Value: digest.Value,
331	329		})
332	330		}
		skipped 6 lines
339	337		break
340	338		}
341	339		algo = strings.ToUpper(algo)
342		-	checksums = append(checksums, common.Checksum{
343		-	Algorithm: common.ChecksumAlgorithm(algo),
	340	+	checksums = append(checksums, spdx.Checksum{
	341	+	Algorithm: spdx.ChecksumAlgorithm(algo),
344	342		Value: hexStr,
345	343		})
346	344		}
347	345		return checksums, filesAnalyzed
348	346		}
349	347
350		-	func toPackageOriginator(p pkg.Package) *common.Originator {
	348	+	func toPackageOriginator(p pkg.Package) *spdx.Originator {
351	349		kind, originator := Originator(p)
352	350		if kind == "" \|\| originator == "" {
353	351		return nil
354	352		}
355		-	return &common.Originator{
	353	+	return &spdx.Originator{
356	354		Originator: originator,
357	355		OriginatorType: kind,
358	356		}
		skipped 27 lines
386	384		}
387	385
388	386		result = append(result, &spdx.Relationship{
389		-	RefA: common.DocElementID{
	387	+	RefA: spdx.DocElementID{
390	388		ElementRefID: toSPDXID(r.From),
391	389		},
392	390		Relationship: string(relationshipType),
393		-	RefB: common.DocElementID{
	391	+	RefB: spdx.DocElementID{
394	392		ElementRefID: toSPDXID(r.To),
395	393		},
396	394		RelationshipComment: comment,
		skipped 65 lines
462	460		return results
463	461		}
464	462
465		-	func toFileChecksums(digests []file.Digest) (checksums []common.Checksum) {
466		-	checksums = make([]common.Checksum, 0, len(digests))
	463	+	func toFileChecksums(digests []file.Digest) (checksums []spdx.Checksum) {
	464	+	checksums = make([]spdx.Checksum, 0, len(digests))
467	465		for _, digest := range digests {
468		-	checksums = append(checksums, common.Checksum{
	466	+	checksums = append(checksums, spdx.Checksum{
469	467		Algorithm: toChecksumAlgorithm(digest.Algorithm),
470	468		Value: digest.Value,
471	469		})
		skipped 1 lines
473	471		return checksums
474	472		}
475	473
476		-	func toChecksumAlgorithm(algorithm string) common.ChecksumAlgorithm {
	474	+	func toChecksumAlgorithm(algorithm string) spdx.ChecksumAlgorithm {
477	475		// this needs to be an uppercase version of our algorithm
478		-	return common.ChecksumAlgorithm(strings.ToUpper(algorithm))
	476	+	return spdx.ChecksumAlgorithm(strings.ToUpper(algorithm))
479	477		}
480	478
481	479		func toFileTypes(metadata *source.FileMetadata) (ty []string) {
		skipped 35 lines
517	515		// f file is an "excludes" file, skip it /* exclude SPDX analysis file(s) */
518	516		// see: https://spdx.github.io/spdx-spec/v2.3/package-information/#79-package-verification-code-field
519	517		// the above link contains the SPDX algorithm for a package verification code
520		-	func newPackageVerificationCode(p pkg.Package, sbom sbom.SBOM) *common.PackageVerificationCode {
	518	+	func newPackageVerificationCode(p pkg.Package, sbom sbom.SBOM) *spdx.PackageVerificationCode {
521	519		// key off of the contains relationship;
522	520		// spdx validator will fail if a package claims to contain a file but no sha1 provided
523	521		// if a sha1 for a file is provided then the validator will fail if the package does not have
		skipped 34 lines
558	556		//nolint:gosec
559	557		hasher := sha1.New()
560	558		_, _ = hasher.Write([]byte(b.String()))
561		-	return &common.PackageVerificationCode{
	559	+	return &spdx.PackageVerificationCode{
562	560		// 7.9.1: Package Verification Code Value
563	561		// Cardinality: mandatory, one
564	562		Value: fmt.Sprintf("%+x", hasher.Sum(nil)),
		skipped 3 lines

■ ■ ■ ■ ■ ■

syft/formats/common/spdxhelpers/to_format_model_test.go

		skipped 3 lines
4	4		"fmt"
5	5		"testing"
6	6
7		-	"github.com/spdx/tools-golang/spdx/common"
8		-	spdx "github.com/spdx/tools-golang/spdx/v2_3"
	7	+	"github.com/spdx/tools-golang/spdx"
9	8		"github.com/stretchr/testify/assert"
10	9		"github.com/stretchr/testify/require"
11	10
		skipped 9 lines
21	20		tests := []struct {
22	21		name string
23	22		pkg pkg.Package
24		-	expected []common.Checksum
	23	+	expected []spdx.Checksum
25	24		filesAnalyzed bool
26	25		}{
27	26		{
		skipped 11 lines
39	38		},
40	39		},
41	40		},
42		-	expected: []common.Checksum{
	41	+	expected: []spdx.Checksum{
43	42		{
44	43		Algorithm: "SHA1",
45	44		Value: "1234",
		skipped 11 lines
57	56		ArchiveDigests: []file.Digest{},
58	57		},
59	58		},
60		-	expected: []common.Checksum{},
	59	+	expected: []spdx.Checksum{},
61	60		filesAnalyzed: false,
62	61		},
63	62		{
		skipped 3 lines
67	66		Version: "1.0.0",
68	67		Language: pkg.Java,
69	68		},
70		-	expected: []common.Checksum{},
	69	+	expected: []spdx.Checksum{},
71	70		filesAnalyzed: false,
72	71		},
73	72		{
		skipped 7 lines
81	80		H1Digest: "h1:9fHAtK0uDfpveeqqo1hkEZJcFvYXAiCN3UutL8F9xHw=",
82	81		},
83	82		},
84		-	expected: []common.Checksum{
	83	+	expected: []spdx.Checksum{
85	84		{
86	85		Algorithm: "SHA256",
87	86		Value: "f5f1c0b4ad2e0dfa6f79eaaaa3586411925c16f61702208ddd4bad2fc17dc47c",
		skipped 9 lines
97	96		Language: pkg.Java,
98	97		Metadata: struct{}{},
99	98		},
100		-	expected: []common.Checksum{},
	99	+	expected: []spdx.Checksum{},
101	100		filesAnalyzed: false,
102	101		},
103	102		}
		skipped 125 lines
229	228		tests := []struct {
230	229		name string
231	230		digests []file.Digest
232		-	expected []common.Checksum
	231	+	expected []spdx.Checksum
233	232		}{
234	233		{
235	234		name: "empty",
		skipped 10 lines
246	245		Value: "meh",
247	246		},
248	247		},
249		-	expected: []common.Checksum{
	248	+	expected: []spdx.Checksum{
250	249		{
251	250		Algorithm: "SHA256",
252	251		Value: "deadbeefcafe",
		skipped 22 lines
275	274		FileSystemID: "nowhere",
276	275		}
277	276
278		-	docElementId := func(identifiable artifact.Identifiable) common.DocElementID {
279		-	return common.DocElementID{
	277	+	docElementId := func(identifiable artifact.Identifiable) spdx.DocElementID {
	278	+	return spdx.DocElementID{
280	279		ElementRefID: toSPDXID(identifiable),
281	280		}
282	281		}
		skipped 153 lines

■ ■ ■ ■ ■ ■

syft/formats/common/spdxhelpers/to_syft_model.go

		skipped 5 lines
6	6		"strconv"
7	7		"strings"
8	8
9		-	spdx "github.com/spdx/tools-golang/spdx/v2_3"
	9	+	"github.com/spdx/tools-golang/spdx"
10	10
11	11		"github.com/anchore/packageurl-go"
12	12		"github.com/anchore/syft/internal/log"
		skipped 393 lines

■ ■ ■ ■ ■ ■

syft/formats/common/spdxhelpers/to_syft_model_test.go

		skipped 2 lines
3	3		import (
4	4		"testing"
5	5
6		-	"github.com/spdx/tools-golang/spdx/common"
7		-	spdx "github.com/spdx/tools-golang/spdx/v2_3"
	6	+	"github.com/spdx/tools-golang/spdx"
8	7		"github.com/stretchr/testify/assert"
9	8		"github.com/stretchr/testify/require"
10	9
		skipped 235 lines
246	245		RefType: "purl",
247	246		},
248	247		},
249		-	PackageChecksums: []common.Checksum{
	248	+	PackageChecksums: []spdx.Checksum{
250	249		{
251		-	Algorithm: common.SHA256,
	250	+	Algorithm: spdx.SHA256,
252	251		Value: "f5f1c0b4ad2e0dfa6f79eaaaa3586411925c16f61702208ddd4bad2fc17dc47c",
253	252		},
254	253		},
		skipped 12 lines
267	266		RefType: "purl",
268	267		},
269	268		},
270		-	PackageChecksums: []common.Checksum{
	269	+	PackageChecksums: []spdx.Checksum{
271	270		{
272		-	Algorithm: common.SHA1,
	271	+	Algorithm: spdx.SHA1,
273	272		Value: "f5f1c0b4ad2e0dfa6f79eaaaa3586411925c16f61702208ddd4bad2fc17dc47c",
274	273		},
275	274		},
		skipped 12 lines
288	287		RefType: "purl",
289	288		},
290	289		},
291		-	PackageChecksums: []common.Checksum{
	290	+	PackageChecksums: []spdx.Checksum{
292	291		{
293		-	Algorithm: common.SHA256,
	292	+	Algorithm: spdx.SHA256,
294	293		Value: "",
295	294		},
296	295		},
		skipped 15 lines

■ ■ ■ ■ ■ ■

syft/formats/spdxjson/decoder.go

		skipped 3 lines
4	4		"fmt"
5	5		"io"
6	6
7		-	spdx "github.com/spdx/tools-golang/json"
	7	+	"github.com/spdx/tools-golang/json"
8	8
9	9		"github.com/anchore/syft/syft/formats/common/spdxhelpers"
10	10		"github.com/anchore/syft/syft/sbom"
11	11		)
12	12
13	13		func decoder(reader io.Reader) (s *sbom.SBOM, err error) {
14		-	doc, err := spdx.Load2_3(reader)
	14	+	doc, err := json.Read(reader)
15	15		if err != nil {
16	16		return nil, fmt.Errorf("unable to decode spdx-json: %w", err)
17	17		}
		skipped 4 lines

■ ■ ■ ■ ■ ■

syft/formats/spdxtagvalue/decoder.go

		skipped 3 lines
4	4		"fmt"
5	5		"io"
6	6
7		-	"github.com/spdx/tools-golang/tvloader"
	7	+	"github.com/spdx/tools-golang/tagvalue"
8	8
9	9		"github.com/anchore/syft/syft/formats/common/spdxhelpers"
10	10		"github.com/anchore/syft/syft/sbom"
11	11		)
12	12
13	13		func decoder(reader io.Reader) (*sbom.SBOM, error) {
14		-	doc, err := tvloader.Load2_3(reader)
	14	+	doc, err := tagvalue.Read(reader)
15	15		if err != nil {
16	16		return nil, fmt.Errorf("unable to decode spdx-tag-value: %w", err)
17	17		}
		skipped 4 lines

■ ■ ■ ■ ■ ■

syft/formats/spdxtagvalue/encoder.go

		skipped 2 lines
3	3		import (
4	4		"io"
5	5
6		-	"github.com/spdx/tools-golang/tvsaver"
	6	+	"github.com/spdx/tools-golang/tagvalue"
7	7
8	8		"github.com/anchore/syft/syft/formats/common/spdxhelpers"
9	9		"github.com/anchore/syft/syft/sbom"
		skipped 1 lines
11	11
12	12		func encoder(output io.Writer, s sbom.SBOM) error {
13	13		model := spdxhelpers.ToFormatModel(s)
14		-	return tvsaver.Save2_3(model, output)
	14	+	return tagvalue.Write(model, output)
15	15		}
16	16

chore: update spdx/tools-golang to v0.5.0-rc1 (#1503)