improve Haskell stack.yaml and stack.yaml.lock cataloging #2454
Labels
Comments
willmurphyscode
added
enhancement
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What would you like to be added:
When syft parses stack.yaml or stack.yaml.lock files, it currently assumes everything was installed from a package manager, and doesn't know how to parse the entry that results when a package is installed directly from GitHub, for example.
Example stack.yaml:
https://github.com/EdsonACortese/postgrest/blob/aaa4fbc3703642cea2300715c5b2c7cb8266134a/stack.yaml#L31-L32
Example stack.yaml.lock:
https://github.com/EdsonACortese/postgrest/blob/aaa4fbc3703642cea2300715c5b2c7cb8266134a/stack.yaml.lock#L133-L144
Why is this needed:
Right now, syft doesn't know how to parse these entries, and skips them. In the case of stack.yaml.lock, it skips only the entry. In the case of stack.yaml, it fails to parse the entire file.
There's enough information to get a package name and maybe a version from these dependencies, so we should at least try to catalog them. Failing to parse the entire stack.yaml because of one unusual entry is probably a bug.
Additional context:
Previously, syft would panic when encountering such a stack.yaml.lock entry, but that was fixed in #2421. This was discovered while investigating that issue.
The text was updated successfully, but these errors were encountered: