From fbfff94d35bc165f3b1f5e42da7385f95d0bd285 Mon Sep 17 00:00:00 2001 From: "florian.metzger-noel" Date: Tue, 25 Mar 2025 08:08:30 +0100 Subject: [PATCH 1/2] feat: adding analyzer for Generic dependencies --- .../analyzer/language/generic/generic.go | 95 +++++++++++++++++++ 1 file changed, 95 insertions(+) create mode 100644 pkg/fanal/analyzer/language/generic/generic.go diff --git a/pkg/fanal/analyzer/language/generic/generic.go b/pkg/fanal/analyzer/language/generic/generic.go new file mode 100644 index 000000000000..5c1358ad231f --- /dev/null +++ b/pkg/fanal/analyzer/language/generic/generic.go @@ -0,0 +1,95 @@ +package generic + +import ( + "context" + "io" + "io/fs" + "os" + "path/filepath" + + "golang.org/x/xerrors" + + "github.com/aquasecurity/trivy/pkg/dependency/parser/generic" + "github.com/aquasecurity/trivy/pkg/fanal/analyzer" + "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language" + "github.com/aquasecurity/trivy/pkg/fanal/types" + "github.com/aquasecurity/trivy/pkg/log" + "github.com/aquasecurity/trivy/pkg/utils/fsutils" + xio "github.com/aquasecurity/trivy/pkg/x/io" +) + +func init() { + analyzer.RegisterAnalyzer(analyzer.TypeGeneric, newGenericAnalyzer) +} + +const ( + version = 1 +) + +type genericLibraryAnalyzer struct { + logger *log.Logger + parser language.Parser +} + +func newGenericAnalyzer(_ analyzer.AnalyzerOptions) (analyzer.PostAnalyzer, error) { + return &genericLibraryAnalyzer{ + logger: log.WithPrefix("generic"), + parser: generic.NewParser(), + }, nil +} + +func (a genericLibraryAnalyzer) PostAnalyze(_ context.Context, input analyzer.PostAnalysisInput) (*analyzer.AnalysisResult, error) { + // Parse dependencies.json files + required := func(path string, _ fs.DirEntry) bool { + return filepath.Base(path) == types.GenericDeps || input.FilePatterns.Match(path) + } + + var apps []types.Application + err := fsutils.WalkDir(input.FS, ".", required, func(filePath string, d fs.DirEntry, r io.Reader) error { + app, err := a.parseGenericFile(input.FS, filePath) + if err != nil { + return xerrors.Errorf("parse error: %w", err) + } else if app == nil { + return nil + } + + apps = append(apps, *app) + return nil + }) + if err != nil { + return nil, xerrors.Errorf("dependencies.json walk error: %w", err) + } + + return &analyzer.AnalysisResult{ + Applications: apps, + }, nil +} + +func (a genericLibraryAnalyzer) Required(filePath string, _ os.FileInfo) bool { + fileName := filepath.Base(filePath) + return fileName == types.GenericDeps +} + +func (a genericLibraryAnalyzer) Type() analyzer.Type { + return analyzer.TypeGeneric +} + +func (a genericLibraryAnalyzer) Version() int { + return version +} + +func (a genericLibraryAnalyzer) parseGenericFile(fsys fs.FS, filePath string) (*types.Application, error) { + f, err := fsys.Open(filePath) + if err != nil { + return nil, xerrors.Errorf("file open error: %w", err) + } + defer func() { _ = f.Close() }() + + file, ok := f.(xio.ReadSeekCloserAt) + if !ok { + return nil, xerrors.Errorf("type assertion error: %w", err) + } + + // parse generic.json file + return language.Parse(types.Generic, filePath, file, a.parser) +} From 4d1141e12672d461fb521ba41fe672a6903b5622 Mon Sep 17 00:00:00 2001 From: "florian.metzger-noel" Date: Tue, 25 Mar 2025 14:07:01 +0100 Subject: [PATCH 2/2] feat: adding analyzer for Generic dependencies --- .cursor/rules/project-description.mdc | 10 ++ .gitignore | 3 + build.sh | 20 +++ .../fixtures/repo/generic/dependencies.json | 33 +++++ .../fixtures/repo/generic/package-lock.json | 98 +++++++++++++++ pkg/dependency/parser/generic/parse.go | 116 ++++++++++++++++++ pkg/dependency/parser/generic/parse_test.go | 12 ++ pkg/dependency/parser/generic/schema.json | 83 +++++++++++++ .../parser/generic/testdata/dependencies.json | 33 +++++ pkg/fanal/analyzer/all/import.go | 1 + pkg/fanal/analyzer/const.go | 5 + .../analyzer/language/generic/generic.go | 4 +- .../go.sum | 42 +++++++ .../go.sum | 42 +++++++ pkg/fanal/types/const.go | 3 + 15 files changed, 503 insertions(+), 2 deletions(-) create mode 100644 .cursor/rules/project-description.mdc create mode 100755 build.sh create mode 100644 integration/testdata/fixtures/repo/generic/dependencies.json create mode 100644 integration/testdata/fixtures/repo/generic/package-lock.json create mode 100644 pkg/dependency/parser/generic/parse.go create mode 100644 pkg/dependency/parser/generic/parse_test.go create mode 100644 pkg/dependency/parser/generic/schema.json create mode 100644 pkg/dependency/parser/generic/testdata/dependencies.json create mode 100644 pkg/fanal/analyzer/language/golang/mod/testdata/pkg/mod/github.com/aquasecurity/go-dep-parser@v0.0.0-20220406074731-71021a481237/go.sum create mode 100644 pkg/fanal/analyzer/language/golang/mod/testdata/pkg/mod/github.com/aquasecurity/go-dep-parser@v0.0.0-20230219131432-590b1dfb6edd/go.sum diff --git a/.cursor/rules/project-description.mdc b/.cursor/rules/project-description.mdc new file mode 100644 index 000000000000..55f0b1198cf7 --- /dev/null +++ b/.cursor/rules/project-description.mdc @@ -0,0 +1,10 @@ +--- +description: +globs: +alwaysApply: true +--- +This is a SBOM generator app. It has many plugins in pkg/dependency/parser/. Our goal is to add one new plugin, based on pkg/dependency/parser/node/npm - it should be called pkg/dependency/parser/generic + +It's a format for manually recording dependencies in a json file as input for SBOMs for non-supported project types. + +Our format is very similar to the node/npm format. diff --git a/.gitignore b/.gitignore index a2fc00ad08b6..b40a2720bf5b 100644 --- a/.gitignore +++ b/.gitignore @@ -43,3 +43,6 @@ cmd/trivy/trivy # RPM *.rpm + +# Build output +bin/ diff --git a/build.sh b/build.sh new file mode 100755 index 000000000000..4a15193bce08 --- /dev/null +++ b/build.sh @@ -0,0 +1,20 @@ +#!/bin/bash + +# Run this script to build the trivy binary + +set -e + +# Change to script directory +cd "$(dirname "$0")" + +# Set binary name +BINARY="trivy" +BIN_PATH="bin/$BINARY" + +# Create bin directory if it doesn't exist +mkdir -p bin + +# Build binary +go build -o "$BIN_PATH" "./cmd/$BINARY" + +echo "$BINARY built successfully in $BIN_PATH" \ No newline at end of file diff --git a/integration/testdata/fixtures/repo/generic/dependencies.json b/integration/testdata/fixtures/repo/generic/dependencies.json new file mode 100644 index 000000000000..e9d57fe315d1 --- /dev/null +++ b/integration/testdata/fixtures/repo/generic/dependencies.json @@ -0,0 +1,33 @@ +{ + "packageName": "M2CPos", + "packageVersion": "2.0 alpha", + "packageLicense": "GPL 2.1", + "dependencies": { + "linuxKernel": { + "version": "2.1", + "source": "https://github.com/....", + "type": "source", + "license": "GPL 2.1", + "checksum": "SHA256: 12345667" + }, + "libC": { + "version": "12.1", + "source": "https://github.com/....", + "type": "source", + "license": "LGPL 1.2", + "checksum": "SHA256: 789321456" + } + }, + "sourceFiles": { + "path/to/FileName.c": { + "version": "2.2", + "checksum": "SHA256 562145698", + "license": "GPL 2.1" + }, + "path/to/FileName2": { + "version": "2.2", + "checksum": "SHA256 562145698", + "license": "proprietary" + } + } +} diff --git a/integration/testdata/fixtures/repo/generic/package-lock.json b/integration/testdata/fixtures/repo/generic/package-lock.json new file mode 100644 index 000000000000..5658cc502e0a --- /dev/null +++ b/integration/testdata/fixtures/repo/generic/package-lock.json @@ -0,0 +1,98 @@ +{ + "version": "1.0.0", + "lockfileVersion": 1, + "requires": true, + "dependencies": { + "asap": { + "version": "2.0.6", + "resolved": "https://registry.npmjs.org/asap/-/asap-2.0.6.tgz", + "integrity": "sha1-5QNHYR1+aQlDIIu9r+vLwvuGbUY=" + }, + "jquery": { + "version": "3.3.9", + "resolved": "https://registry.npmjs.org/jquery/-/jquery-3.4.0.tgz", + "integrity": "sha512-ggRCXln9zEqv6OqAGXFEcshF5dSBvCkzj6Gm2gzuR5fWawaX8t7cxKVkkygKODrDAzKdoYw3l/e3pm3vlT4IbQ==" + }, + "js-tokens": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-4.0.0.tgz", + "integrity": "sha512-RdJUflcE3cUzKiMqQgsCu06FPu9UdIJO0beYbPhHN4k6apgJtifcoCtT9bcxOpYBtpD2kCM6Sbzg4CausW/PKQ==" + }, + "loose-envify": { + "version": "1.4.0", + "resolved": "https://registry.npmjs.org/loose-envify/-/loose-envify-1.4.0.tgz", + "integrity": "sha512-lyuxPGr/Wfhrlem2CL/UcnUc1zcqKAImBDzukY7Y5F/yQiNdko6+fRLevlw1HgMySw7f611UIY408EtxRSoK3Q==", + "requires": { + "js-tokens": "^3.0.0 || ^4.0.0" + } + }, + "object-assign": { + "version": "4.1.1", + "resolved": "https://registry.npmjs.org/object-assign/-/object-assign-4.1.1.tgz", + "integrity": "sha1-IQmtx5ZYh8/AXLvUQsrIv7s2CGM=" + }, + "promise": { + "version": "8.0.3", + "resolved": "https://registry.npmjs.org/promise/-/promise-8.0.3.tgz", + "integrity": "sha512-HeRDUL1RJiLhyA0/grn+PTShlBAcLuh/1BJGtrvjwbvRDCTLLMEz9rOGCV+R3vHY4MixIuoMEd9Yq/XvsTPcjw==", + "requires": { + "asap": "~2.0.6" + } + }, + "prop-types": { + "version": "15.7.2", + "resolved": "https://registry.npmjs.org/prop-types/-/prop-types-15.7.2.tgz", + "integrity": "sha512-8QQikdH7//R2vurIJSutZ1smHYTcLpRWEOlHnzcWHmBYrOGUysKwSsrC89BCiFj3CbrfJ/nXFdJepOVrY1GCHQ==", + "requires": { + "loose-envify": "^1.4.0", + "object-assign": "^4.1.1", + "react-is": "^16.8.1" + } + }, + "react": { + "version": "16.8.6", + "resolved": "https://registry.npmjs.org/react/-/react-16.8.6.tgz", + "integrity": "sha512-pC0uMkhLaHm11ZSJULfOBqV4tIZkx87ZLvbbQYunNixAAvjnC+snJCg0XQXn9VIsttVsbZP/H/ewzgsd5fxKXw==", + "requires": { + "loose-envify": "^1.1.0", + "object-assign": "^4.1.1", + "prop-types": "^15.6.2", + "scheduler": "^0.13.6" + } + }, + "react-is": { + "version": "16.8.6", + "resolved": "https://registry.npmjs.org/react-is/-/react-is-16.8.6.tgz", + "integrity": "sha512-aUk3bHfZ2bRSVFFbbeVS4i+lNPZr3/WM5jT2J5omUVV1zzcs1nAaf3l51ctA5FFvCRbhrH0bdAsRRQddFJZPtA==" + }, + "redux": { + "version": "4.0.1", + "resolved": "https://registry.npmjs.org/redux/-/redux-4.0.1.tgz", + "integrity": "sha512-R7bAtSkk7nY6O/OYMVR9RiBI+XghjF9rlbl5806HJbQph0LJVHZrU5oaO4q70eUKiqMRqm4y07KLTlMZ2BlVmg==", + "requires": { + "loose-envify": "^1.4.0", + "symbol-observable": "^1.2.0" + } + }, + "scheduler": { + "version": "0.13.6", + "resolved": "https://registry.npmjs.org/scheduler/-/scheduler-0.13.6.tgz", + "integrity": "sha512-IWnObHt413ucAYKsD9J1QShUKkbKLQQHdxRyw73sw4FN26iWr3DY/H34xGPe4nmL1DwXyWmSWmMrA9TfQbE/XQ==", + "requires": { + "loose-envify": "^1.1.0", + "object-assign": "^4.1.1" + } + }, + "symbol-observable": { + "version": "1.2.0", + "resolved": "https://registry.npmjs.org/symbol-observable/-/symbol-observable-1.2.0.tgz", + "integrity": "sha512-e900nM8RRtGhlV36KGEU9k65K3mPb1WV70OdjfxlG2EAuM1noi/E/BaW/uMhL7bPEssK8QV57vN3esixjUvcXQ==" + }, + "z-lock": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/z-lock/-/z-lock-1.0.0.tgz", + "integrity": "sha512-TWoID7h5wphb4YHcY/tu9u7nZb6wtmBjqpRUYbQCemrhmJXL+7/Vblb6rs7ANnBInIt9Qccb7bXUCNGZpxekeA==", + "dev": true + } + } +} \ No newline at end of file diff --git a/pkg/dependency/parser/generic/parse.go b/pkg/dependency/parser/generic/parse.go new file mode 100644 index 000000000000..7ab059c5aa7f --- /dev/null +++ b/pkg/dependency/parser/generic/parse.go @@ -0,0 +1,116 @@ +package generic + +import ( + "github.com/aquasecurity/trivy/pkg/dependency" + "io" + + "github.com/aquasecurity/jfather" + "golang.org/x/xerrors" + + "github.com/aquasecurity/trivy/pkg/dependency/parser/utils" + ftypes "github.com/aquasecurity/trivy/pkg/fanal/types" + "github.com/aquasecurity/trivy/pkg/log" + xio "github.com/aquasecurity/trivy/pkg/x/io" +) + +type Dependency struct { + Version string `json:"version"` + Source string `json:"source"` + Type string `json:"type"` + License string `json:"license,omitempty"` + Copyright string `json:"copyright,omitempty"` + Checksum string `json:"checksum,omitempty"` +} + +type SourceFile struct { + Version string `json:"version"` + Checksum string `json:"checksum"` + License string `json:"license"` + Copyright string `json:"copyright,omitempty"` +} + +type GenericPackage struct { + PackageName string `json:"packageName"` + PackageVersion string `json:"packageVersion"` + PackageLicense string `json:"packageLicense,omitempty"` + PackageCopyright string `json:"packageCopyright,omitempty"` + Dependencies map[string]Dependency `json:"dependencies"` + SourceFiles map[string]SourceFile `json:"sourceFiles,omitempty"` +} + +type Parser struct { + logger *log.Logger +} + +func NewParser() *Parser { + return &Parser{ + logger: log.WithPrefix("generic"), + } +} + +func (p *Parser) Parse(r xio.ReadSeekerAt) ([]ftypes.Package, []ftypes.Dependency, error) { + var genericPackage GenericPackage + input, err := io.ReadAll(r) + if err != nil { + return nil, nil, xerrors.Errorf("read error: %w", err) + } + + if err := jfather.Unmarshal(input, &genericPackage); err != nil { + return nil, nil, xerrors.Errorf("decode error: %w", err) + } + + var pkgs []ftypes.Package + var deps []ftypes.Dependency + + // Add the main package + mainPkg := ftypes.Package{ + ID: packageID(genericPackage.PackageName, genericPackage.PackageVersion), + Name: genericPackage.PackageName, + Version: genericPackage.PackageVersion, + Licenses: []string{genericPackage.PackageLicense}, + Relationship: ftypes.RelationshipRoot, + } + pkgs = append(pkgs, mainPkg) + + // Add dependencies + for depName, dep := range genericPackage.Dependencies { + depPkg := ftypes.Package{ + ID: packageID(depName, dep.Version), + Name: depName, + Version: dep.Version, + Licenses: []string{dep.License}, + Relationship: ftypes.RelationshipDirect, + } + pkgs = append(pkgs, depPkg) + + // Add dependency relationship + deps = append(deps, ftypes.Dependency{ + ID: mainPkg.ID, + DependsOn: []string{depPkg.ID}, + }) + } + + // Add source files as packages + for filePath, file := range genericPackage.SourceFiles { + filePkg := ftypes.Package{ + ID: packageID(filePath, file.Version), + Name: filePath, + Version: file.Version, + Licenses: []string{file.License}, + Relationship: ftypes.RelationshipDirect, + } + pkgs = append(pkgs, filePkg) + + // Add source file relationship + deps = append(deps, ftypes.Dependency{ + ID: mainPkg.ID, + DependsOn: []string{filePkg.ID}, + }) + } + + return utils.UniquePackages(pkgs), deps, nil +} + +func packageID(name, version string) string { + return dependency.ID(ftypes.Generic, name, version) +} diff --git a/pkg/dependency/parser/generic/parse_test.go b/pkg/dependency/parser/generic/parse_test.go new file mode 100644 index 000000000000..6c182d79ad5c --- /dev/null +++ b/pkg/dependency/parser/generic/parse_test.go @@ -0,0 +1,12 @@ +package generic + +import ( + "testing" +) + +func TestNewParser(t *testing.T) { + p := NewParser() + if p == nil { + t.Error("NewParser() returned nil") + } +} diff --git a/pkg/dependency/parser/generic/schema.json b/pkg/dependency/parser/generic/schema.json new file mode 100644 index 000000000000..7fb00cc5d864 --- /dev/null +++ b/pkg/dependency/parser/generic/schema.json @@ -0,0 +1,83 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "type": "object", + "properties": { + "packageName": { + "type": "string" + }, + "packageVersion": { + "type": "string" + }, + "packageLicense": { + "type": "string" + }, + "packageCopyright": { + "type": "string" + }, + "dependencies": { + "type": "object", + "properties": { + "packageName": { + "type": "object", + "properties": { + "version": { + "type": "string" + }, + "source": { + "type": "string" + }, + "type": { + "type": "string" + }, + "license": { + "type": "string" + }, + "copyright": { + "type": "string" + }, + "checksum": { + "type": "string" + } + }, + "required": [ + "version", + "source", + "type" + ] + } + } + }, + "sourceFiles": { + "type": "object", + "properties": { + "filename": { + "type": "object", + "properties": { + "version": { + "type": "string" + }, + "checksum": { + "type": "string" + }, + "license": { + "type": "string" + }, + "copyright": { + "type": "string" + } + }, + "required": [ + "version", + "checksum", + "license" + ] + } + } + } + }, + "required": [ + "packageName", + "packageVersion", + "dependencies" + ] +} \ No newline at end of file diff --git a/pkg/dependency/parser/generic/testdata/dependencies.json b/pkg/dependency/parser/generic/testdata/dependencies.json new file mode 100644 index 000000000000..df38eec1ed27 --- /dev/null +++ b/pkg/dependency/parser/generic/testdata/dependencies.json @@ -0,0 +1,33 @@ +{ + "packageName": "M2CPos", + "packageVersion": "2.0 alpha", + "packageLicense": "GPL 2.1", + "dependencies": { + "linuxKernel": { + "version": "2.1", + "source": "https://github.com/....", + "type": "source", + "license": "GPL 2.1", + "checksum": "SHA256: 12345667" + }, + "libC": { + "version": "12.1", + "source": "https://github.com/....", + "type": "source", + "license": "LGPL 1.2", + "checksum": "SHA256: 789321456" + } + }, + "sourceFiles": { + "path/to/FileName.c": { + "version": "2.2", + "checksum": "SHA256 562145698", + "license": "GPL 2.1", + }, + "path/to/FileName2": { + "version": "2.2", + "checksum": "SHA256 562145698", + "license": "proprietary" + } + } +} \ No newline at end of file diff --git a/pkg/fanal/analyzer/all/import.go b/pkg/fanal/analyzer/all/import.go index c9d50dd4f924..3ae513677fcd 100644 --- a/pkg/fanal/analyzer/all/import.go +++ b/pkg/fanal/analyzer/all/import.go @@ -15,6 +15,7 @@ import ( _ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/dotnet/nuget" _ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/dotnet/packagesprops" _ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/elixir/mix" + _ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/generic" _ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/golang/binary" _ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/golang/mod" _ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/java/gradle" diff --git a/pkg/fanal/analyzer/const.go b/pkg/fanal/analyzer/const.go index 13f5fa650748..197821c5b092 100644 --- a/pkg/fanal/analyzer/const.go +++ b/pkg/fanal/analyzer/const.go @@ -103,6 +103,9 @@ const ( // Julia TypeJulia Type = "julia" + // Generic + TypeGeneric Type = "generic" + // ============ // Non-packaged // ============ @@ -208,6 +211,7 @@ var ( TypeMixLock, TypeJulia, TypeSBOM, + TypeGeneric, } // TypeLockfiles has all lock file analyzers @@ -231,6 +235,7 @@ var ( TypeMixLock, TypeCondaEnv, TypeComposer, + TypeGeneric, } // TypeIndividualPkgs has all analyzers for individual packages diff --git a/pkg/fanal/analyzer/language/generic/generic.go b/pkg/fanal/analyzer/language/generic/generic.go index 5c1358ad231f..2fb820cd71d0 100644 --- a/pkg/fanal/analyzer/language/generic/generic.go +++ b/pkg/fanal/analyzer/language/generic/generic.go @@ -19,7 +19,7 @@ import ( ) func init() { - analyzer.RegisterAnalyzer(analyzer.TypeGeneric, newGenericAnalyzer) + analyzer.RegisterPostAnalyzer(types.GenericDeps, newGenericAnalyzer) } const ( @@ -71,7 +71,7 @@ func (a genericLibraryAnalyzer) Required(filePath string, _ os.FileInfo) bool { } func (a genericLibraryAnalyzer) Type() analyzer.Type { - return analyzer.TypeGeneric + return analyzer.Type(types.GenericDeps) } func (a genericLibraryAnalyzer) Version() int { diff --git a/pkg/fanal/analyzer/language/golang/mod/testdata/pkg/mod/github.com/aquasecurity/go-dep-parser@v0.0.0-20220406074731-71021a481237/go.sum b/pkg/fanal/analyzer/language/golang/mod/testdata/pkg/mod/github.com/aquasecurity/go-dep-parser@v0.0.0-20220406074731-71021a481237/go.sum new file mode 100644 index 000000000000..ba5701c97ae7 --- /dev/null +++ b/pkg/fanal/analyzer/language/golang/mod/testdata/pkg/mod/github.com/aquasecurity/go-dep-parser@v0.0.0-20220406074731-71021a481237/go.sum @@ -0,0 +1,42 @@ +github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= +github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= +github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46/go.mod h1:olhPNdiiAAMiSujemd1O/sc6GcyePr23f/6uGKtthNg= +github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492/go.mod h1:9Beu8XsUNNfzml7WBf3QmyPToP1wm1Gj/Vc5UJKqTzU= +github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= +github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48= +github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ= +github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= +github.com/hashicorp/go-retryablehttp v0.7.2/go.mod h1:Jy/gPYAdjqffZ/yFGCFV2doI5wjtH1ewM9u8iYVjtX8= +github.com/liamg/jfather v0.0.7/go.mod h1:xXBGiBoiZ6tmHhfy5Jzw8sugzajwYdi6VosIpB3/cPM= +github.com/microsoft/go-rustaudit v0.0.0-20220808201409-204dfee52032/go.mod h1:vYT9HE7WCvL64iVeZylKmCsWKfE+JZ8105iuh2Trk8g= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/samber/lo v1.37.0/go.mod h1:9vaz2O4o8oOnK23pd2TrXufcbdbJIa3b6cstBWKpopA= +github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= +github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= +github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= +github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= +github.com/urfave/cli/v2 v2.3.0/go.mod h1:LJmUH05zAU44vOAcrfzZQKsZbVcdbOG8rtL3/XcUArI= +go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= +go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU= +go.uber.org/zap v1.24.0/go.mod h1:2kMP+WWQ8aoFoedH3T2sq6iJ2yDWpHbP0f6MQbS9Gkg= +golang.org/x/exp v0.0.0-20220407100705-7b9b53b0aca4/go.mod h1:lgLbSvA5ygNOMpwM/9anMpWVlVJ7Z+cHWq/eFuinpGE= +golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/pkg/fanal/analyzer/language/golang/mod/testdata/pkg/mod/github.com/aquasecurity/go-dep-parser@v0.0.0-20230219131432-590b1dfb6edd/go.sum b/pkg/fanal/analyzer/language/golang/mod/testdata/pkg/mod/github.com/aquasecurity/go-dep-parser@v0.0.0-20230219131432-590b1dfb6edd/go.sum new file mode 100644 index 000000000000..ba5701c97ae7 --- /dev/null +++ b/pkg/fanal/analyzer/language/golang/mod/testdata/pkg/mod/github.com/aquasecurity/go-dep-parser@v0.0.0-20230219131432-590b1dfb6edd/go.sum @@ -0,0 +1,42 @@ +github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= +github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= +github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46/go.mod h1:olhPNdiiAAMiSujemd1O/sc6GcyePr23f/6uGKtthNg= +github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492/go.mod h1:9Beu8XsUNNfzml7WBf3QmyPToP1wm1Gj/Vc5UJKqTzU= +github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= +github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48= +github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ= +github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= +github.com/hashicorp/go-retryablehttp v0.7.2/go.mod h1:Jy/gPYAdjqffZ/yFGCFV2doI5wjtH1ewM9u8iYVjtX8= +github.com/liamg/jfather v0.0.7/go.mod h1:xXBGiBoiZ6tmHhfy5Jzw8sugzajwYdi6VosIpB3/cPM= +github.com/microsoft/go-rustaudit v0.0.0-20220808201409-204dfee52032/go.mod h1:vYT9HE7WCvL64iVeZylKmCsWKfE+JZ8105iuh2Trk8g= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/samber/lo v1.37.0/go.mod h1:9vaz2O4o8oOnK23pd2TrXufcbdbJIa3b6cstBWKpopA= +github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= +github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= +github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= +github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= +github.com/urfave/cli/v2 v2.3.0/go.mod h1:LJmUH05zAU44vOAcrfzZQKsZbVcdbOG8rtL3/XcUArI= +go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= +go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU= +go.uber.org/zap v1.24.0/go.mod h1:2kMP+WWQ8aoFoedH3T2sq6iJ2yDWpHbP0f6MQbS9Gkg= +golang.org/x/exp v0.0.0-20220407100705-7b9b53b0aca4/go.mod h1:lgLbSvA5ygNOMpwM/9anMpWVlVJ7Z+cHWq/eFuinpGE= +golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/pkg/fanal/types/const.go b/pkg/fanal/types/const.go index 4ffeb2fb5660..98238d590741 100644 --- a/pkg/fanal/types/const.go +++ b/pkg/fanal/types/const.go @@ -58,6 +58,7 @@ var OSTypeAliases = map[OSType]OSType{ // Programming language dependencies const ( + Generic LangType = "generic" Bundler LangType = "bundler" GemSpec LangType = "gemspec" Cargo LangType = "cargo" @@ -164,6 +165,8 @@ const ( YarnLock = "yarn.lock" PnpmLock = "pnpm-lock.yaml" + GenericDeps = "dependencies.json" + ComposerLock = "composer.lock" ComposerJson = "composer.json" ComposerInstalledJson = "installed.json"