detect jQuery file

[witchcraze]

What would you like to be added:

Detect jQuery file which is not managed by any package manager.
jquery-x.y.z.min.js
jquery-x.y.z.js
jquery-x.y.z.slim.min.js

Why is this needed:

To remove old jQuery files.

Additional context:

I think this will be solved with cataloger which is refffered in #2658
jQuery on CDN will be used widely, but I can not judge this is scope of Syft.

[kzantow]

This is an interesting ask! I would instinctively think this could be handled with an approach similar to the binary cataloger, where we determine some set of regular expressions and if matched, validate we found a jQuery file. See if there's some common window = jquery or similar perhaps to key off of.

[westonsteimel]

I like the idea of trying to parse known javascript artifacts from popular CDN strings, though one of the difficulties will be anything using @latest and trying to resolve the actual currently used version. I do think it would be interesting to someday be able to point syft at a website and have it attempt to catalog everything from the html, but I suspect that is very different from anything it currently handles

[mprpic]

This would be very helpful to discover vendored dependencies as is the case for example with Django:

(venv) ~/temp/django_app > syft .
 ✔ Indexed file system                                                                                                                                                                                                                    .
 ✔ Cataloged contents                                                                                                                                                      cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
   ├── ✔ Packages                        [4 packages]  
   ├── ✔ File digests                    [11 files]  
   ├── ✔ File metadata                   [11 locations]  
   └── ✔ Executables                     [0 executables]  
[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
NAME      VERSION  TYPE     
asgiref   3.8.1    python    
django    5.1.6    python    
pip       24.2     python    
sqlparse  0.5.3    python  
(venv) ~/temp/django_app > fd jquery
venv/lib/python3.13/site-packages/django/contrib/admin/static/admin/js/jquery.init.js
venv/lib/python3.13/site-packages/django/contrib/admin/static/admin/js/vendor/jquery/
venv/lib/python3.13/site-packages/django/contrib/admin/static/admin/js/vendor/jquery/jquery.js
venv/lib/python3.13/site-packages/django/contrib/admin/static/admin/js/vendor/jquery/jquery.min.js

Even if the files don't themselves contain versions in their name, they often come with headers that contain that information:

(venv) ~/temp/django_app > head venv/lib/python3.13/site-packages/django/contrib/admin/static/admin/js/vendor/jquery/jquery.js
/*!
 * jQuery JavaScript Library v3.7.1
 * https://jquery.com/
 *
 * Copyright OpenJS Foundation and other contributors
 * Released under the MIT license
 * https://jquery.org/license
 *
 * Date: 2023-08-28T13:37Z
 */

I imagine this could be generalized into a jsasset cataloger that could include regexes to catch the most common JS libraries (such as jQuery). If a version can't be discovered, it could be left unversioned (I assume that's possible?).