crash.software
Projects
Pull Requests
Issues
Builds
syft
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY syft Commits 8fe99fba
🤬
Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)
  • ■ ■ ■ ■ ■ ■
    syft/pkg/cataloger/portage/license.go
     1 +package portage
     2 + 
     3 +import (
     4 + "bufio"
     5 + "io"
     6 + "sort"
     7 + "strings"
     8 + 
     9 + "github.com/anchore/syft/internal"
     10 +)
     11 + 
     12 +// the licenses files seems to conform to a custom format that is common to gentoo packages.
     13 +// see more details:
     14 +// - https://www.gentoo.org/glep/glep-0023.html#id9
     15 +// - https://devmanual.gentoo.org/general-concepts/licenses/index.html
     16 +//
     17 +// in short, the format is:
     18 +//
     19 +// mandatory-license
     20 +// || ( choosable-licence1 chooseable-license-2 )
     21 +// useflag? ( optional-component-license )
     22 +//
     23 +// "License names may contain [a-zA-Z0-9] (english alphanumeric characters), _ (underscore), - (hyphen), .
     24 +// (dot) and + (plus sign). They must not begin with a hyphen, a dot or a plus sign."
     25 +//
     26 +// this does not conform to SPDX license expressions, which would be a great enhancement in the future.
     27 + 
     28 +func extractLicenses(reader io.Reader) []string {
     29 + findings := internal.NewStringSet()
     30 + scanner := bufio.NewScanner(reader)
     31 + scanner.Split(bufio.ScanWords)
     32 + for scanner.Scan() {
     33 + token := scanner.Text()
     34 + if !strings.ContainsAny(token, "()|?") {
     35 + findings.Add(token)
     36 + }
     37 + }
     38 + licenses := findings.ToSlice()
     39 + sort.Strings(licenses)
     40 + 
     41 + return licenses
     42 +}
     43 + 
  • ■ ■ ■ ■ ■ ■
    syft/pkg/cataloger/portage/license_test.go
     1 +package portage
     2 + 
     3 +import (
     4 + "strings"
     5 + "testing"
     6 + 
     7 + "github.com/stretchr/testify/assert"
     8 +)
     9 + 
     10 +// you can get a good sense of test fixtures with:
     11 +// docker run --rm -it gentoo/stage3 bash -c 'find var/db/pkg/ | grep LICENSE | xargs cat'
     12 + 
     13 +func Test_extractLicenses(t *testing.T) {
     14 + 
     15 + tests := []struct {
     16 + name string
     17 + license string
     18 + want []string
     19 + }{
     20 + {
     21 + name: "empty",
     22 + license: "",
     23 + want: []string{},
     24 + },
     25 + {
     26 + name: "single",
     27 + license: "GPL-2",
     28 + want: []string{"GPL-2"},
     29 + },
     30 + {
     31 + name: "multiple",
     32 + license: "GPL-2 GPL-3 ", // note the extra space
     33 + want: []string{"GPL-2", "GPL-3"},
     34 + },
     35 + // the following cases are NOT valid interpretations, but capture the behavior today.
     36 + // when we follow up later with SPDX license expressions, this can be fixed then.
     37 + {
     38 + name: "license choices",
     39 + license: "|| ( GPL-2 GPL-3 )",
     40 + // should allow for expression of "NONE OR (GPL-2 OR GPL-3)" or "GPL-2 OR GPL-3",
     41 + // I'm not certain which is correct (NONE isn't allowed, right?)
     42 + want: []string{"GPL-2", "GPL-3"},
     43 + },
     44 + {
     45 + name: "license choices with use flag",
     46 + license: "LGPL-2.1+ tools? ( GPL-2+ )",
     47 + want: []string{"GPL-2+", "LGPL-2.1+"}, // should allow for expression of "LGPL-2.1+ OR (LGPL-2.1+ AND GPL-2+)"
     48 + },
     49 + {
     50 + name: "license choices with unknown suffix",
     51 + license: "GPL-3+ LGPL-3+ || ( GPL-3+ libgcc libstdc++ gcc-runtime-library-exception-3.1 ) FDL-1.3+",
     52 + want: []string{
     53 + "FDL-1.3+", // is it right to include this? what does this represent since a useflag was not specified?
     54 + "GPL-3+",
     55 + "LGPL-3+",
     56 + "gcc-runtime-library-exception-3.1",
     57 + "libgcc",
     58 + "libstdc++",
     59 + },
     60 + },
     61 + }
     62 + for _, tt := range tests {
     63 + t.Run(tt.name, func(t *testing.T) {
     64 + assert.Equalf(t, tt.want, extractLicenses(strings.NewReader(tt.license)), "extractLicenses(%v)", tt.license)
     65 + })
     66 + }
     67 +}
     68 + 
  • ■ ■ ■ ■ ■
    syft/pkg/cataloger/portage/parse_portage_contents.go
    skipped 5 lines
    6 6   "path"
    7 7   "path/filepath"
    8 8   "regexp"
    9  - "sort"
    10 9   "strconv"
    11 10   "strings"
    12 11   
    13  - "github.com/anchore/syft/internal"
    14 12   "github.com/anchore/syft/internal/log"
    15 13   "github.com/anchore/syft/syft/artifact"
    16 14   "github.com/anchore/syft/syft/file"
    skipped 90 lines
    107 105   return
    108 106   }
    109 107   
    110  - findings := internal.NewStringSet()
    111  - scanner := bufio.NewScanner(licenseReader)
    112  - scanner.Split(bufio.ScanWords)
    113  - for scanner.Scan() {
    114  - token := scanner.Text()
    115  - if token != "||" && token != "(" && token != ")" {
    116  - findings.Add(token)
    117  - }
    118  - }
    119  - licenses := findings.ToSlice()
    120  - sort.Strings(licenses)
    121  - p.Licenses = licenses
     108 + p.Licenses = extractLicenses(licenseReader)
    122 109   p.Locations.Add(location.WithAnnotation(pkg.EvidenceAnnotationKey, pkg.SupportingEvidenceAnnotation))
    123 110  }
    124 111   
    skipped 33 lines
Please wait...
Page is in error, reload to recover