Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Cataloger for Homebrew on macOS #3632

Open
rezmoss opened this issue Jan 29, 2025 · 2 comments
Open

Add Cataloger for Homebrew on macOS #3632

rezmoss opened this issue Jan 29, 2025 · 2 comments
Assignees
@rezmoss
Labels
enhancement New feature or request good-first-issue Good for newcomers new-cataloger

Comments

@rezmoss
Copy link

rezmoss commented Jan 29, 2025

What would you like to be added:

I would like to request the addition of a cataloger for Homebrew on macOS within Syft. This feature should enable Syft to scan and catalog installed Homebrew packages, allowing users to generate SBOMs that include Homebrew-installed software.

Why is this needed:

Homebrew is a widely used package manager for macOS, and many security vulnerabilities arise within installed Homebrew packages. Adding a Homebrew cataloger would help users surface vulnerabilities associated with their installed Homebrew applications, ensuring more comprehensive security scanning and compliance checks

Additional context:

  • Homebrew maintains a package database at /usr/local/Cellar/ (for Intel Macs) and /opt/homebrew/Cellar/ (for Apple Silicon Macs).
  • Each installed package has a subdirectory with versioned installations (e.g., /opt/homebrew/Cellar/git/2.42.0/).
  • Homebrew maintains a list of installed packages in /usr/local/Homebrew/Library/Taps/ or /opt/homebrew/Library/Taps/.
  • Running brew list --versions provides a structured list of installed packages and their versions.

By leveraging this data, Syft can catalog installed Homebrew applications and map them against vulnerability databases to enhance security insights for macOS users

I am interested to work on this new cataloger.
@rezmoss rezmoss added the enhancement New feature or request label Jan 29, 2025
@popey
Copy link
Contributor

popey commented Jan 30, 2025

Thanks for the issue @rezmoss and welcome to the community!

We briefly discussed this towards the end of today's live stream.

The team agreed that this would be an interesting and valuable cataloger to add, and I don't think any of us had considered it previously. So, good call!

We also pondered the possibility of scanning brew packages on linux, and I guess on WSL2 also?

In short, thanks for the issue and for stepping up to work on it. Feel free to let us know if you need help.

@kzantow kzantow moved this to Ready in OSS Feb 3, 2025
@kzantow kzantow added the good-first-issue Good for newcomers label Feb 3, 2025
@rezmoss
Copy link
Author

rezmoss commented Feb 3, 2025

Thank you @popey for the warm welcome and great suggestions! I’ll plan to address macOS first and also consider Linux/WSL2 support. I’m planning to start soon—will let you know if I need any help!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rezmoss rezmoss

Labels
enhancement New feature or request good-first-issue Good for newcomers new-cataloger
Projects
OSS
Status: Ready
Milestone
No milestone
Development

No branches or pull requests
5 participants
@wagoodman @popey @kzantow @spiffcs @rezmoss