Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)
Total 1 files
■ ■ ■ ■ ■ ■
DEVELOPING.md
skipped 118 lines
119
119
Catalogers are the way in which syft is able to identify and construct packages given some amount of source metadata.
120
120
For example, Syft can locate and process `package-lock.json` files when performing filesystem scans.
121
121
See: [how to specify file globs](https://github.com/anchore/syft/tree/v0.70.0/syft/pkg/cataloger/javascript/cataloger.go#L16-L21)
122
-
and an implementation of the [package-lock.json parser](https://github.com/anchore/syft/tree/v0.70.0/syft/pkg/cataloger/javascript/cataloger.go#L16-L21) fora quick review.
122
+
and an implementation of the [package-lock.json parser](https://github.com/anchore/syft/tree/v0.70.0/syft/pkg/cataloger/javascript/cataloger.go#L16-L21) fora quick review.
123
+
124
+
From a high level catalogers have the following properties:
125
+
126
+
- They are independent from one another. The java cataloger has no idea of the processes, assumptions, or results of the python cataloger, for example.
127
+
128
+
- They do not know what source is being analyzed. Are we analyzing a local directory? an image? if so, the squashed representation or all layers? The catalogers do not know the answers to these questions. Only that there is an interface to query for file paths and contents from an underlying "source" being scanned.
129
+
130
+
- Packages created by the cataloger should not be mutated after they are created. There is one exception made for adding CPEs to a package after the cataloging phase, but that will most likely be moved back into the cataloger in the future.
Alex Goodman
committed
with
GitHub
1 year ago
1 parent a260fb27