From d1390b315e196f881dc3850b779f881c832b4c1a Mon Sep 17 00:00:00 2001 From: Josh Bressers Date: Tue, 16 Aug 2022 09:43:25 -0500 Subject: [PATCH 1/9] Give the contributing guide a substantial rework (#1155) --- CONTRIBUTING.md | 94 ++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 73 insertions(+), 21 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 5d0382c8b1e..dc02ce2ab19 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -2,6 +2,57 @@ If you are looking to contribute to this project and want to open a GitHub pull request ("PR"), there are a few guidelines of what we are looking for in patches. Make sure you go through this document and ensure that your code proposal is aligned. +## Setting up your environment + +Before you can contribute to Syft, you need to configure your development environment. + +### Debian setup + +You will need to install Go. The version on https://go.dev works best, using the system golang doesn't always work the way you might expect. + +At the time of writing, Go 1.19 does not work correctly with Syft. Please use Go 1.18 for now. + +You will also need Docker. There's no reason the system packages shouldn't work, but we used the official Docker package. You can find instructions for installing Docker in Debian [here](https://docs.docker.com/engine/install/debian/). + +You also need to install some Debian packages + +```sh +sudo apt-get install build-essential zip bc libxml2-utils git +``` + +## Configuring Git + +You will need to configure your git client with your name and email address. This is easily done from the command line. + +```text +$ git config --global user.name "John Doe" +$ git config --global user.email "john.doe@example.com" +``` + +This username and email address will matter later in this guide. + +## Fork the repo + +You should fork the Syft repo using the "Fork" button at the top right of the Syft GitHub [site](https://github.com/anchore/syft/). You will be doing your development in your fork, then submit a pull request to Syft. There are many resources how to use GitHub effectively, we will not cover those here. + +## Adding a feature or fix + +If you look at the Syft [Issue](https://github.com/anchore/syft/issues) there are plenty of bugs and feature requests. Maybe look at the [good first issue](https://github.com/anchore/syft/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22) list if you're not sure where to start. + +## Commit guidelines + +In the Syft project we like commits and pull requests (PR) to be easy to understand and review. Open source thrives best when everything happening is over documented and small enough to be understood. + +### Granular commits + +Please try to make every commit as simple as possible, but no simpler. The idea is that each commit should be a logical unit of code. Try not to commit too many tiny changes, for example every line changed in a file as a separate commit. And also try not to make a commit enormous, for example committing all your work at the end of the day. + +Rather than try to follow a strict guide on what is or is not best, we try to be flexible and simple in this space. Do what makes the most sense for the changes you are trying to include. + +### Commit title and description + +Remember that the message you leave for a commit is for the reviewer in the present, and for someone (maybe you) changing something in the future. Please make sure the title and description used is easy to understand and explains what was done. Jokes and clever comments generally don't age well in commit messages. Just the facts please. + ## Sign off your work The `sign-off` is an added line at the end of the explanation for the commit, certifying that you wrote it or otherwise have the right to submit it as an open-source patch. By submitting a contribution, you agree to be bound by the terms of the DCO Version 1.1 and Apache License Version 2.0. @@ -44,13 +95,6 @@ When committing your change, you can add the required line manually so that it l Signed-off-by: John Doe ``` -Alternatively, configure your Git client with your name and email to use the `-s` flag when creating a commit: - -```text -$ git config --global user.name "John Doe" -$ git config --global user.email "john.doe@example.com" -``` - Creating a signed-off commit is then possible with `-s` or `--signoff`: ```text @@ -70,21 +114,9 @@ Date: Mon Aug 1 11:27:13 2020 -0400 Signed-off-by: John Doe ``` - -[//]: # (TODO: Commit guidelines, granular commits) - - -[//]: # (TODO: Commit guidelines, descriptive messages) - - -[//]: # (TODO: Commit guidelines, commit title, extra body description) - - -[//]: # (TODO: PR title and description) - ## Test your changes -This project has a `Makefile` which includes many helpers running both unit and integration tests. Although PRs will have automatic checks for these, it is useful to run them locally, ensuring they pass before submitting changes. Ensure you've bootstrapped once before running tests: +This project has a `Makefile` which includes many helpers running both unit and integration tests. You can run `make help` to see all the options. Although PRs will have automatic checks for these, it is useful to run them locally, ensuring they pass before submitting changes. Ensure you've bootstrapped once before running tests: ```text $ make bootstrap @@ -97,6 +129,26 @@ $ make unit $ make integration ``` +You can also run `make all` to run a more extensive test suite, but there is additional configuration that will be needed for those tests to run correctly. We will not cover the extra steps here. + +## Pull Request + +If you made it this far and all the tests are passing, it's time to submit a Pull Request (PR) for Syft. Submitting a PR is always a scary moment as what happens next can be an unknown. The Syft project strives to be easy to work with, we appreciate all contributions. Nobody is going to yell at you or try to make you feel bad. We love contributions and know how scary that first PR can be. + +### PR Title and Description + +Just like the commit title and description mentioned above, the PR title and description is very important for letting others know what's happening. Please include any details you think a reviewer will need to more properly review your PR. + +A PR that is very large or poorly described has a higher likelihood of being pushed to the end of the list. Reviewers like PRs they can understand and quickly review. + +### What to expect next + +Please be patient with the project. We try to review PRs in a timely manner, but this is highly dependent on all the other tasks we have going on. It's OK to ask for a status update every week or two, it's not OK to ask for a status update every day. + +It's very likely the reviewer will have questions and suggestions for changes to your PR. If your changes don't match the current style and flow of the other code, expect a request to change what you've done. + ## Document your changes -When proposed changes are modifying user-facing functionality or output, it is expected the PR will include updates to the documentation as well. +And lastly, when proposed changes are modifying user-facing functionality or output, it is expected the PR will include updates to the documentation as well. Syft is not a project that is heavy on documentation. This will mostly be updating the README and help for the tool. + +If nobody knows new features exist, they can't use them! From 21eb77206020c04c9ca5316562e32179c73926a9 Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Tue, 16 Aug 2022 14:14:02 -0400 Subject: [PATCH 2/9] Associate node package licenses from node_modules (#1152) --- internal/spdxlicense/license.go | 2 +- internal/spdxlicense/license_list.go | 23 +++- .../pkg/cataloger/common/generic_cataloger.go | 16 ++- syft/pkg/cataloger/javascript/cataloger.go | 58 +++++++++- .../cataloger/javascript/cataloger_test.go | 102 ++++++++++++++++++ .../javascript/parse_package_lock_test.go | 6 ++ .../node_modules/@actions/core/package.json | 44 ++++++++ .../pkg-lock/node_modules/cowsay/package.json | 59 ++++++++++ .../test-fixtures/pkg-lock/package-lock.json | 8 ++ 9 files changed, 309 insertions(+), 9 deletions(-) create mode 100644 syft/pkg/cataloger/javascript/cataloger_test.go create mode 100644 syft/pkg/cataloger/javascript/test-fixtures/pkg-lock/node_modules/@actions/core/package.json create mode 100644 syft/pkg/cataloger/javascript/test-fixtures/pkg-lock/node_modules/cowsay/package.json diff --git a/internal/spdxlicense/license.go b/internal/spdxlicense/license.go index c0f7f9350fc..a3029d2832f 100644 --- a/internal/spdxlicense/license.go +++ b/internal/spdxlicense/license.go @@ -12,7 +12,7 @@ import ( // EX: gpl-2.0.0-only ---> GPL-2.0-only // See the debian link for more details on the spdx license differences -//go:generate go run generate/generate_license_list.go +//go:generate go run ./generate func ID(id string) (string, bool) { value, exists := licenseIDs[strings.ToLower(id)] diff --git a/internal/spdxlicense/license_list.go b/internal/spdxlicense/license_list.go index 695f89d5581..65c47f4383f 100644 --- a/internal/spdxlicense/license_list.go +++ b/internal/spdxlicense/license_list.go @@ -1,9 +1,9 @@ // Code generated by go generate; DO NOT EDIT. -// This file was generated by robots at 2022-08-02 12:46:45.90647 -0400 EDT m=+0.327870639 +// This file was generated by robots at 2022-08-16 13:37:43.053262 -0400 EDT m=+0.183888850 // using data from https://spdx.org/licenses/licenses.json package spdxlicense -const Version = "3.17" +const Version = "3.18" var licenseIDs = map[string]string{ "0bsd": "0BSD", @@ -201,16 +201,19 @@ var licenseIDs = map[string]string{ "cc-by-3": "CC-BY-3.0", "cc-by-3-at": "CC-BY-3.0-AT", "cc-by-3-de": "CC-BY-3.0-DE", + "cc-by-3-igo": "CC-BY-3.0-IGO", "cc-by-3-nl": "CC-BY-3.0-NL", "cc-by-3-us": "CC-BY-3.0-US", "cc-by-3.0": "CC-BY-3.0", "cc-by-3.0-at": "CC-BY-3.0-AT", "cc-by-3.0-de": "CC-BY-3.0-DE", + "cc-by-3.0-igo": "CC-BY-3.0-IGO", "cc-by-3.0-nl": "CC-BY-3.0-NL", "cc-by-3.0-us": "CC-BY-3.0-US", "cc-by-3.0.0": "CC-BY-3.0", "cc-by-3.0.0-at": "CC-BY-3.0-AT", "cc-by-3.0.0-de": "CC-BY-3.0-DE", + "cc-by-3.0.0-igo": "CC-BY-3.0-IGO", "cc-by-3.0.0-nl": "CC-BY-3.0-NL", "cc-by-3.0.0-us": "CC-BY-3.0-US", "cc-by-4": "CC-BY-4.0", @@ -614,7 +617,6 @@ var licenseIDs = map[string]string{ "jasper-2.0.0": "JasPer-2.0", "jpnic": "JPNIC", "json": "JSON", - "kicad-libraries-exception": "KiCad-libraries-exception", "lal-1": "LAL-1.2", "lal-1.2": "LAL-1.2", "lal-1.2.0": "LAL-1.2", @@ -622,7 +624,7 @@ var licenseIDs = map[string]string{ "lal-1.3.0": "LAL-1.3", "latex2e": "Latex2e", "leptonica": "Leptonica", - "lgpl-2": "LGPL-2.1-only", + "lgpl-2": "LGPL-2.0-only", "lgpl-2+": "LGPL-2.0-or-later", "lgpl-2-only": "LGPL-2.0-only", "lgpl-2-or-later": "LGPL-2.0-or-later", @@ -692,7 +694,14 @@ var licenseIDs = map[string]string{ "lppl-1.3c": "LPPL-1.3c", "lppl-1a": "LPPL-1.3a", "lppl-1c": "LPPL-1.3c", + "lzma-sdk-9": "LZMA-SDK-9.22", + "lzma-sdk-9-to-9.20": "LZMA-SDK-9.11-to-9.20", + "lzma-sdk-9.11-to-9.20": "LZMA-SDK-9.11-to-9.20", + "lzma-sdk-9.11.0-to-9.20": "LZMA-SDK-9.11-to-9.20", + "lzma-sdk-9.22": "LZMA-SDK-9.22", + "lzma-sdk-9.22.0": "LZMA-SDK-9.22", "makeindex": "MakeIndex", + "minpack": "Minpack", "miros": "MirOS", "mit": "MIT", "mit-0": "MIT-0", @@ -704,6 +713,7 @@ var licenseIDs = map[string]string{ "mit-open-group": "MIT-open-group", "mitnfa": "MITNFA", "motosoto": "Motosoto", + "mpi-permissive": "mpi-permissive", "mpich2": "mpich2", "mpl-1": "MPL-1.0", "mpl-1.0": "MPL-1.0", @@ -717,6 +727,7 @@ var licenseIDs = map[string]string{ "mpl-2.0.0": "MPL-2.0", "mpl-2.0.0-no-copyleft-exception": "MPL-2.0-no-copyleft-exception", "mplus": "mplus", + "ms-lpl": "MS-LPL", "ms-pl": "MS-PL", "ms-rl": "MS-RL", "mtll": "MTLL", @@ -746,6 +757,9 @@ var licenseIDs = map[string]string{ "netcdf": "NetCDF", "newsletr": "Newsletr", "ngpl": "NGPL", + "nicta-1": "NICTA-1.0", + "nicta-1.0": "NICTA-1.0", + "nicta-1.0.0": "NICTA-1.0", "nist-pd": "NIST-PD", "nist-pd-fallback": "NIST-PD-fallback", "nlod-1": "NLOD-1.0", @@ -902,6 +916,7 @@ var licenseIDs = map[string]string{ "python-2": "Python-2.0", "python-2.0": "Python-2.0", "python-2.0.0": "Python-2.0", + "python-2.0.1": "Python-2.0.1", "qhull": "Qhull", "qpl-1": "QPL-1.0", "qpl-1.0": "QPL-1.0", diff --git a/syft/pkg/cataloger/common/generic_cataloger.go b/syft/pkg/cataloger/common/generic_cataloger.go index 5aa0681140d..5de3666bffa 100644 --- a/syft/pkg/cataloger/common/generic_cataloger.go +++ b/syft/pkg/cataloger/common/generic_cataloger.go @@ -6,10 +6,9 @@ package common import ( "fmt" - "github.com/anchore/syft/syft/artifact" - "github.com/anchore/syft/internal" "github.com/anchore/syft/internal/log" + "github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/pkg" "github.com/anchore/syft/syft/source" ) @@ -19,14 +18,18 @@ import ( type GenericCataloger struct { globParsers map[string]ParserFn pathParsers map[string]ParserFn + postProcessors []PostProcessFunc upstreamCataloger string } +type PostProcessFunc func(resolver source.FileResolver, location source.Location, p *pkg.Package) error + // NewGenericCataloger if provided path-to-parser-function and glob-to-parser-function lookups creates a GenericCataloger -func NewGenericCataloger(pathParsers map[string]ParserFn, globParsers map[string]ParserFn, upstreamCataloger string) *GenericCataloger { +func NewGenericCataloger(pathParsers map[string]ParserFn, globParsers map[string]ParserFn, upstreamCataloger string, postProcessors ...PostProcessFunc) *GenericCataloger { return &GenericCataloger{ globParsers: globParsers, pathParsers: pathParsers, + postProcessors: postProcessors, upstreamCataloger: upstreamCataloger, } } @@ -69,6 +72,13 @@ func (c *GenericCataloger) Catalog(resolver source.FileResolver) ([]pkg.Package, continue } + for _, postProcess := range c.postProcessors { + err = postProcess(resolver, location, p) + if err != nil { + return nil, nil, err + } + } + packages = append(packages, *p) } diff --git a/syft/pkg/cataloger/javascript/cataloger.go b/syft/pkg/cataloger/javascript/cataloger.go index 791554a5d53..80b4d8077b7 100644 --- a/syft/pkg/cataloger/javascript/cataloger.go +++ b/syft/pkg/cataloger/javascript/cataloger.go @@ -4,7 +4,15 @@ Package javascript provides a concrete Cataloger implementation for JavaScript e package javascript import ( + "encoding/json" + "io" + "path" + "strings" + + "github.com/anchore/syft/internal/log" + "github.com/anchore/syft/syft/pkg" "github.com/anchore/syft/syft/pkg/cataloger/common" + "github.com/anchore/syft/syft/source" ) // NewJavascriptPackageCataloger returns a new JavaScript cataloger object based on detection of npm based packages. @@ -23,5 +31,53 @@ func NewJavascriptLockCataloger() *common.GenericCataloger { "**/yarn.lock": parseYarnLock, } - return common.NewGenericCataloger(nil, globParsers, "javascript-lock-cataloger") + return common.NewGenericCataloger(nil, globParsers, "javascript-lock-cataloger", addLicenses) +} + +func addLicenses(resolver source.FileResolver, location source.Location, p *pkg.Package) error { + dir := path.Dir(location.RealPath) + pkgPath := []string{dir, "node_modules"} + pkgPath = append(pkgPath, strings.Split(p.Name, "/")...) + pkgPath = append(pkgPath, "package.json") + pkgFile := path.Join(pkgPath...) + locations, err := resolver.FilesByPath(pkgFile) + if err != nil { + log.Debugf("an error occurred attempting to read: %s - %+v", pkgFile, err) + return nil + } + + if len(locations) == 0 { + return nil + } + + for _, location := range locations { + contentReader, err := resolver.FileContentsByLocation(location) + if err != nil { + log.Debugf("error getting file content reader for %s: %v", pkgFile, err) + return nil + } + + contents, err := io.ReadAll(contentReader) + if err != nil { + log.Debugf("error reading file contents for %s: %v", pkgFile, err) + return nil + } + + var pkgJSON packageJSON + err = json.Unmarshal(contents, &pkgJSON) + if err != nil { + log.Debugf("error parsing %s: %v", pkgFile, err) + return nil + } + + licenses, err := pkgJSON.licensesFromJSON() + if err != nil { + log.Debugf("error getting licenses from %s: %v", pkgFile, err) + return nil + } + + p.Licenses = licenses + } + + return nil } diff --git a/syft/pkg/cataloger/javascript/cataloger_test.go b/syft/pkg/cataloger/javascript/cataloger_test.go new file mode 100644 index 00000000000..325d0b65fd6 --- /dev/null +++ b/syft/pkg/cataloger/javascript/cataloger_test.go @@ -0,0 +1,102 @@ +package javascript + +import ( + "testing" + + "github.com/stretchr/testify/require" + + "github.com/anchore/syft/syft/pkg" + "github.com/anchore/syft/syft/source" +) + +func Test_JavascriptCataloger(t *testing.T) { + expected := map[string]pkg.Package{ + "@actions/core": { + Name: "@actions/core", + Version: "1.6.0", + Language: pkg.JavaScript, + Type: pkg.NpmPkg, + Licenses: []string{"MIT"}, + }, + "wordwrap": { + Name: "wordwrap", + Version: "0.0.3", + Language: pkg.JavaScript, + Type: pkg.NpmPkg, + }, + "get-stdin": { + Name: "get-stdin", + Version: "5.0.1", + Language: pkg.JavaScript, + Type: pkg.NpmPkg, + }, + "minimist": { + Name: "minimist", + Version: "0.0.10", + Language: pkg.JavaScript, + Type: pkg.NpmPkg, + }, + "optimist": { + Name: "optimist", + Version: "0.6.1", + Language: pkg.JavaScript, + Type: pkg.NpmPkg, + }, + "string-width": { + Name: "string-width", + Version: "2.1.1", + Language: pkg.JavaScript, + Type: pkg.NpmPkg, + }, + "strip-ansi": { + Name: "strip-ansi", + Version: "4.0.0", + Language: pkg.JavaScript, + Type: pkg.NpmPkg, + }, + "strip-eof": { + Name: "wordwrap", + Version: "1.0.0", + Language: pkg.JavaScript, + Type: pkg.NpmPkg, + }, + "ansi-regex": { + Name: "ansi-regex", + Version: "3.0.0", + Language: pkg.JavaScript, + Type: pkg.NpmPkg, + }, + "is-fullwidth-code-point": { + Name: "is-fullwidth-code-point", + Version: "2.0.0", + Language: pkg.JavaScript, + Type: pkg.NpmPkg, + }, + "cowsay": { + Name: "cowsay", + Version: "1.4.0", + Language: pkg.JavaScript, + Type: pkg.NpmPkg, + Licenses: []string{"MIT"}, + }, + } + + s, err := source.NewFromDirectory("test-fixtures/pkg-lock") + require.NoError(t, err) + + resolver, err := s.FileResolver(source.AllLayersScope) + require.NoError(t, err) + + actual, _, err := NewJavascriptLockCataloger().Catalog(resolver) + if err != nil { + t.Fatalf("failed to parse package-lock.json: %+v", err) + } + + var pkgs []*pkg.Package + for _, p := range actual { + p2 := p + pkgs = append(pkgs, &p2) + } + + assertPkgsEqual(t, pkgs, expected) +} diff --git a/syft/pkg/cataloger/javascript/parse_package_lock_test.go b/syft/pkg/cataloger/javascript/parse_package_lock_test.go index ab88e2f1629..a809441d9a2 100644 --- a/syft/pkg/cataloger/javascript/parse_package_lock_test.go +++ b/syft/pkg/cataloger/javascript/parse_package_lock_test.go @@ -30,6 +30,12 @@ func assertPkgsEqual(t *testing.T, actual []*pkg.Package, expected map[string]pk func TestParsePackageLock(t *testing.T) { expected := map[string]pkg.Package{ + "@actions/core": { + Name: "@actions/core", + Version: "1.6.0", + Language: pkg.JavaScript, + Type: pkg.NpmPkg, + }, "wordwrap": { Name: "wordwrap", Version: "0.0.3", diff --git a/syft/pkg/cataloger/javascript/test-fixtures/pkg-lock/node_modules/@actions/core/package.json b/syft/pkg/cataloger/javascript/test-fixtures/pkg-lock/node_modules/@actions/core/package.json new file mode 100644 index 00000000000..8d7a3997488 --- /dev/null +++ b/syft/pkg/cataloger/javascript/test-fixtures/pkg-lock/node_modules/@actions/core/package.json @@ -0,0 +1,44 @@ +{ + "name": "@actions/core", + "version": "1.6.0", + "description": "Actions core lib", + "keywords": [ + "github", + "actions", + "core" + ], + "homepage": "https://github.com/actions/toolkit/tree/main/packages/core", + "license": "MIT", + "main": "lib/core.js", + "types": "lib/core.d.ts", + "directories": { + "lib": "lib", + "test": "__tests__" + }, + "files": [ + "lib", + "!.DS_Store" + ], + "publishConfig": { + "access": "public" + }, + "repository": { + "type": "git", + "url": "git+https://github.com/actions/toolkit.git", + "directory": "packages/core" + }, + "scripts": { + "audit-moderate": "npm install && npm audit --json --audit-level=moderate > audit.json", + "test": "echo \"Error: run tests from root\" && exit 1", + "tsc": "tsc" + }, + "bugs": { + "url": "https://github.com/actions/toolkit/issues" + }, + "dependencies": { + "@actions/http-client": "^1.0.11" + }, + "devDependencies": { + "@types/node": "^12.0.2" + } +} diff --git a/syft/pkg/cataloger/javascript/test-fixtures/pkg-lock/node_modules/cowsay/package.json b/syft/pkg/cataloger/javascript/test-fixtures/pkg-lock/node_modules/cowsay/package.json new file mode 100644 index 00000000000..7492c95f16d --- /dev/null +++ b/syft/pkg/cataloger/javascript/test-fixtures/pkg-lock/node_modules/cowsay/package.json @@ -0,0 +1,59 @@ +{ + "name": "cowsay", + "version": "1.4.0", + "description": "cowsay is a configurable talking cow", + "keywords": [ + "cow", + "cowsay", + "cowthink", + "figlet", + "talking", + "ASCII" + ], + "homepage": "https://github.com/piuccio/cowsay", + "author": { + "name": "Fabio Crisci", + "email": "piuccio@gmail.com", + "url": "https://github.com/piuccio/" + }, + "license": "MIT", + "main": "./index", + "module": "./build/cowsay.es.js", + "browser": "./build/cowsay.umd.js", + "bin": { + "cowsay": "./cli.js", + "cowthink": "./cli.js" + }, + "files": [ + "index.js", + "cli.js", + "build/", + "cows/", + "lib/" + ], + "repository": { + "type": "git", + "url": "https://github.com/piuccio/cowsay.git" + }, + "scripts": { + "prepublish": "rollup -c", + "test": "node test.js" + }, + "dependencies": { + "get-stdin": "^5.0.1", + "optimist": "~0.6.1", + "string-width": "~2.1.1", + "strip-eof": "^1.0.0" + }, + "devDependencies": { + "nodeunit": "~0.11.1", + "rollup": "^0.48.2", + "rollup-plugin-commonjs": "^8.2.0", + "rollup-plugin-node-resolve": "^3.0.0", + "rollup-plugin-string": "^2.0.2" + }, + "preferGlobal": true, + "engines": { + "node": ">= 4" + } +} diff --git a/syft/pkg/cataloger/javascript/test-fixtures/pkg-lock/package-lock.json b/syft/pkg/cataloger/javascript/test-fixtures/pkg-lock/package-lock.json index 4056cac02a5..7a14a9e2120 100644 --- a/syft/pkg/cataloger/javascript/test-fixtures/pkg-lock/package-lock.json +++ b/syft/pkg/cataloger/javascript/test-fixtures/pkg-lock/package-lock.json @@ -2,6 +2,14 @@ "requires": true, "lockfileVersion": 1, "dependencies": { + "@actions/core": { + "version": "1.6.0", + "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.6.0.tgz", + "integrity": "sha512-NB1UAZomZlCV/LmJqkLhNTqtKfFXJZAUPcfl/zqG7EfsQdeUJtaWO98SGbuQ3pydJ3fHl2CvI/51OKYlCYYcaw==", + "requires": { + "@actions/http-client": "^1.0.11" + } + }, "ansi-regex": { "version": "3.0.0", "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz", From f3c3d3d98e991d954d1f16fa643fd51774128be1 Mon Sep 17 00:00:00 2001 From: Justin Chadwell Date: Mon, 22 Aug 2022 15:29:00 +0100 Subject: [PATCH 3/9] Prevent symlinks causing duplicate package-file relationships (#1168) --- syft/pkg/cataloger/catalog.go | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/syft/pkg/cataloger/catalog.go b/syft/pkg/cataloger/catalog.go index fa0e4d72da0..c9bd4f51a4f 100644 --- a/syft/pkg/cataloger/catalog.go +++ b/syft/pkg/cataloger/catalog.go @@ -110,29 +110,36 @@ func packageFileOwnershipRelationships(p pkg.Package, resolver source.FilePathRe return nil, nil } - var relationships []artifact.Relationship + locations := map[artifact.ID]source.Location{} for _, path := range fileOwner.OwnedFiles() { - locations, err := resolver.FilesByPath(path) + pathRefs, err := resolver.FilesByPath(path) if err != nil { return nil, fmt.Errorf("unable to find path for path=%q: %w", path, err) } - if len(locations) == 0 { + if len(pathRefs) == 0 { // ideally we want to warn users about missing files from a package, however, it is very common for // container image authors to delete files that are not needed in order to keep image sizes small. Adding // a warning here would be needlessly noisy (even for popular base images). continue } - for _, l := range locations { - relationships = append(relationships, artifact.Relationship{ - From: p, - To: l.Coordinates, - Type: artifact.ContainsRelationship, - }) + for _, ref := range pathRefs { + if oldRef, ok := locations[ref.Coordinates.ID()]; ok { + log.Debugf("found path duplicate of %s", oldRef.RealPath) + } + locations[ref.Coordinates.ID()] = ref } } + var relationships []artifact.Relationship + for _, location := range locations { + relationships = append(relationships, artifact.Relationship{ + From: p, + To: location.Coordinates, + Type: artifact.ContainsRelationship, + }) + } return relationships, nil } From e9221ae25d37eeddf76ec63da32956a5e62a78a8 Mon Sep 17 00:00:00 2001 From: cpendery <35637443+cpendery@users.noreply.github.com> Date: Mon, 22 Aug 2022 07:45:55 -0700 Subject: [PATCH 4/9] feat: add support for pnpm (#1166) --- syft/pkg/cataloger/javascript/cataloger.go | 1 + .../cataloger/javascript/parse_pnpm_lock.go | 43 +++++++++++ .../javascript/parse_pnpm_lock_test.go | 52 ++++++++++++++ .../test-fixtures/pnpm/pnpm-lock.yaml | 72 +++++++++++++++++++ 4 files changed, 168 insertions(+) create mode 100644 syft/pkg/cataloger/javascript/parse_pnpm_lock.go create mode 100644 syft/pkg/cataloger/javascript/parse_pnpm_lock_test.go create mode 100644 syft/pkg/cataloger/javascript/test-fixtures/pnpm/pnpm-lock.yaml diff --git a/syft/pkg/cataloger/javascript/cataloger.go b/syft/pkg/cataloger/javascript/cataloger.go index 80b4d8077b7..3853c51f890 100644 --- a/syft/pkg/cataloger/javascript/cataloger.go +++ b/syft/pkg/cataloger/javascript/cataloger.go @@ -29,6 +29,7 @@ func NewJavascriptLockCataloger() *common.GenericCataloger { globParsers := map[string]common.ParserFn{ "**/package-lock.json": parsePackageLock, "**/yarn.lock": parseYarnLock, + "**/pnpm-lock.yaml": parsePnpmLock, } return common.NewGenericCataloger(nil, globParsers, "javascript-lock-cataloger", addLicenses) diff --git a/syft/pkg/cataloger/javascript/parse_pnpm_lock.go b/syft/pkg/cataloger/javascript/parse_pnpm_lock.go new file mode 100644 index 00000000000..fc0cb2cb493 --- /dev/null +++ b/syft/pkg/cataloger/javascript/parse_pnpm_lock.go @@ -0,0 +1,43 @@ +package javascript + +import ( + "fmt" + "io" + + "github.com/anchore/syft/syft/artifact" + "github.com/anchore/syft/syft/pkg" + "github.com/anchore/syft/syft/pkg/cataloger/common" + "gopkg.in/yaml.v3" +) + +// integrity check +var _ common.ParserFn = parsePnpmLock + +type pnpmLockYaml struct { + Dependencies map[string]string `json:"dependencies"` +} + +func parsePnpmLock(path string, reader io.Reader) ([]*pkg.Package, []artifact.Relationship, error) { + bytes, err := io.ReadAll(reader) + if err != nil { + return nil, nil, fmt.Errorf("failed to load pnpm-lock.yaml file: %w", err) + } + + var pkgs []*pkg.Package + var lockFile pnpmLockYaml + + if err := yaml.Unmarshal(bytes, &lockFile); err != nil { + return nil, nil, fmt.Errorf("failed to parse pnpm-lock.yaml file: %w", err) + } + + for name, version := range lockFile.Dependencies { + pkgs = append(pkgs, &pkg.Package{ + Name: name, + Version: version, + Language: pkg.JavaScript, + Type: pkg.NpmPkg, + }) + } + + return pkgs, nil, nil +} diff --git a/syft/pkg/cataloger/javascript/parse_pnpm_lock_test.go b/syft/pkg/cataloger/javascript/parse_pnpm_lock_test.go new file mode 100644 index 00000000000..cf5c7dc91a3 --- /dev/null +++ b/syft/pkg/cataloger/javascript/parse_pnpm_lock_test.go @@ -0,0 +1,52 @@ +package javascript + +import ( + "os" + "testing" + + "github.com/anchore/syft/syft/pkg" + "github.com/go-test/deep" +) + +func fixtureP(str string) *string { + return &str +} + +func TestParsePnpmLock(t *testing.T) { + expected := []*pkg.Package{ + { + Name: "nanoid", + Version: "3.3.4", + Language: pkg.JavaScript, + Type: pkg.NpmPkg, + }, + { + Name: "picocolors", + Version: "1.0.0", + Language: pkg.JavaScript, + Type: pkg.NpmPkg, + }, + { + Name: "source-map-js", + Version: "1.0.2", + Language: pkg.JavaScript, + Type: pkg.NpmPkg, + }, + } + + fixture, err := os.Open("test-fixtures/pnpm/pnpm-lock.yaml") + if err != nil { + t.Fatalf("failed to open fixture: %+v", err) + } + + // TODO: no relationships are under test yet + actual, _, err := parsePnpmLock(fixture.Name(), fixture) + if err != nil { + t.Error(err) + } + + differences := deep.Equal(expected, actual) + if differences != nil { + t.Errorf("returned package list differed from expectation: %+v", differences) + } +} diff --git a/syft/pkg/cataloger/javascript/test-fixtures/pnpm/pnpm-lock.yaml b/syft/pkg/cataloger/javascript/test-fixtures/pnpm/pnpm-lock.yaml new file mode 100644 index 00000000000..70e3575188e --- /dev/null +++ b/syft/pkg/cataloger/javascript/test-fixtures/pnpm/pnpm-lock.yaml @@ -0,0 +1,72 @@ +lockfileVersion: 5.4 + +specifiers: + '@logux/eslint-config': ^47.2.0 + '@size-limit/preset-small-lib': ^8.0.0 + '@types/fs-extra': ^9.0.13 + '@types/node': ^18.6.4 + '@typescript-eslint/eslint-plugin': ^5.32.0 + '@typescript-eslint/parser': ^5.32.0 + c8: ^7.12.0 + check-dts: ^0.6.7 + clean-publish: ^4.0.1 + concat-with-sourcemaps: ^1.1.0 + eslint: ^8.21.0 + eslint-config-standard: ^17.0.0 + eslint-plugin-import: ^2.26.0 + eslint-plugin-n: ^15.2.4 + eslint-plugin-prefer-let: ^3.0.1 + eslint-plugin-promise: ^6.0.0 + fs-extra: ^10.1.0 + nanodelay: ^1.0.8 + nanoid: ^3.3.4 + nanospy: ^0.5.0 + picocolors: ^1.0.0 + postcss-parser-tests: ^8.5.1 + simple-git-hooks: ^2.8.0 + size-limit: ^8.0.0 + source-map-js: ^1.0.2 + strip-ansi: ^6.0.1 + ts-node: ^10.9.1 + typescript: ^4.7.4 + uvu: ^0.5.6 + +dependencies: + nanoid: 3.3.4 + picocolors: 1.0.0 + source-map-js: 1.0.2 + +devDependencies: + '@logux/eslint-config': 47.2.0_7hz3xvmviof7onfgk6hpedqcom + '@size-limit/preset-small-lib': 8.0.0_size-limit@8.0.0 + '@types/fs-extra': 9.0.13 + '@types/node': 18.6.4 + '@typescript-eslint/eslint-plugin': 5.32.0_iosr3hrei2tubxveewluhu5lhy + '@typescript-eslint/parser': 5.32.0_qugx7qdu5zevzvxaiqyxfiwquq + c8: 7.12.0 + check-dts: 0.6.7_typescript@4.7.4 + clean-publish: 4.0.1 + concat-with-sourcemaps: 1.1.0 + eslint: 8.21.0 + eslint-config-standard: 17.0.0_dfwa53o44x4e5xhsfv5mvfhk5a + eslint-plugin-import: 2.26.0_wuikv5nqgdfyng42xxm7lklfmi + eslint-plugin-n: 15.2.4_eslint@8.21.0 + eslint-plugin-prefer-let: 3.0.1 + eslint-plugin-promise: 6.0.0_eslint@8.21.0 + fs-extra: 10.1.0 + nanodelay: 1.0.8 + nanospy: 0.5.0 + postcss-parser-tests: 8.5.1 + simple-git-hooks: 2.8.0 + size-limit: 8.0.0 + strip-ansi: 6.0.1 + ts-node: 10.9.1_hn66opzbaneygq52jmwjxha6su + typescript: 4.7.4 + uvu: 0.5.6 + +packages: + /@bcoe/v8-coverage/0.2.3: + resolution: {integrity: sha512-0hYQ8SB4Db5zvZB4axdMHGwEaQjkZzFjQiN9LVYvIFB2nSUHW9tYpxWriPrWDASIxiaXax83REcLxuSdnGPZtw==} + dev: true + + # removed other packages From 13296880cdafb378eda10b5c76909a584a5fdb2a Mon Sep 17 00:00:00 2001 From: Marco Deicas <60855123+mdeicas@users.noreply.github.com> Date: Mon, 22 Aug 2022 11:22:18 -0400 Subject: [PATCH 5/9] External sources configuration (#1158) --- cmd/syft/cli/options/packages.go | 9 ++++ internal/config/application.go | 4 +- internal/config/datasources.go | 11 +++++ syft/pkg/cataloger/alpm/cataloger.go | 5 +++ syft/pkg/cataloger/cataloger.go | 45 ++++++++++++++++--- syft/pkg/cataloger/cataloger_test.go | 34 +++++++++++--- .../pkg/cataloger/common/generic_cataloger.go | 5 +++ syft/pkg/cataloger/config.go | 5 ++- syft/pkg/cataloger/deb/cataloger.go | 5 +++ syft/pkg/cataloger/golang/binary_cataloger.go | 5 +++ syft/pkg/cataloger/portage/cataloger.go | 5 +++ .../pkg/cataloger/python/package_cataloger.go | 5 +++ syft/pkg/cataloger/rpmdb/cataloger.go | 5 +++ .../cataloger/rust/audit_binary_cataloger.go | 5 +++ 14 files changed, 132 insertions(+), 16 deletions(-) create mode 100644 internal/config/datasources.go diff --git a/cmd/syft/cli/options/packages.go b/cmd/syft/cli/options/packages.go index 8891f814e91..93ff3ac85a7 100644 --- a/cmd/syft/cli/options/packages.go +++ b/cmd/syft/cli/options/packages.go @@ -26,6 +26,7 @@ type PackagesOptions struct { OverwriteExistingImage bool ImportTimeout uint Catalogers []string + ExternalSourcesEnabled bool } var _ Interface = (*PackagesOptions)(nil) @@ -70,9 +71,13 @@ func (o *PackagesOptions) AddFlags(cmd *cobra.Command, v *viper.Viper) error { cmd.Flags().UintVarP(&o.ImportTimeout, "import-timeout", "", 30, "set a timeout duration (in seconds) for the upload to Anchore Enterprise") + cmd.Flags().BoolVarP(&o.ExternalSourcesEnabled, "external-sources-enabled", "", false, + "shut off any use of external sources during sbom generation (default false") + return bindPackageConfigOptions(cmd.Flags(), v) } +//nolint:funlen func bindPackageConfigOptions(flags *pflag.FlagSet, v *viper.Viper) error { // Formatting & Input options ////////////////////////////////////////////// @@ -104,6 +109,10 @@ func bindPackageConfigOptions(flags *pflag.FlagSet, v *viper.Viper) error { return err } + if err := v.BindPFlag("external_sources.external-sources-enabled", flags.Lookup("external-sources-enabled")); err != nil { + return err + } + // Upload options ////////////////////////////////////////////////////////// if err := v.BindPFlag("anchore.host", flags.Lookup("host")); err != nil { diff --git a/internal/config/application.go b/internal/config/application.go index d5898b0d103..3a7a0e790cc 100644 --- a/internal/config/application.go +++ b/internal/config/application.go @@ -57,6 +57,7 @@ type Application struct { Exclusions []string `yaml:"exclude" json:"exclude" mapstructure:"exclude"` Attest attest `yaml:"attest" json:"attest" mapstructure:"attest"` Platform string `yaml:"platform" json:"platform" mapstructure:"platform"` + ExternalSources ExternalSources `yaml:"external_sources" json:"external_sources" mapstructure:"external_sources"` } func (cfg Application) ToCatalogerConfig() cataloger.Config { @@ -66,7 +67,8 @@ func (cfg Application) ToCatalogerConfig() cataloger.Config { IncludeUnindexedArchives: cfg.Package.SearchUnindexedArchives, Scope: cfg.Package.Cataloger.ScopeOpt, }, - Catalogers: cfg.Catalogers, + Catalogers: cfg.Catalogers, + ExternalSourcesEnabled: cfg.ExternalSources.ExternalSourcesEnabled, } } diff --git a/internal/config/datasources.go b/internal/config/datasources.go new file mode 100644 index 00000000000..cc0e507be4f --- /dev/null +++ b/internal/config/datasources.go @@ -0,0 +1,11 @@ +package config + +import "github.com/spf13/viper" + +type ExternalSources struct { + ExternalSourcesEnabled bool `yaml:"external-sources-enabled" json:"external-sources-enabled" mapstructure:"external-sources-enabled"` +} + +func (e ExternalSources) loadDefaultValues(v *viper.Viper) { + v.SetDefault("external-sources-enabled", false) +} diff --git a/syft/pkg/cataloger/alpm/cataloger.go b/syft/pkg/cataloger/alpm/cataloger.go index 87a7b285e89..2e099df1468 100644 --- a/syft/pkg/cataloger/alpm/cataloger.go +++ b/syft/pkg/cataloger/alpm/cataloger.go @@ -23,6 +23,11 @@ func (c *Cataloger) Name() string { return catalogerName } +// UsesExternalSources indicates that the alpmdb cataloger does not use external sources +func (c *Cataloger) UsesExternalSources() bool { + return false +} + // Catalog is given an object to resolve file references and content, this function returns any discovered Packages after analyzing rpm db installation. func (c *Cataloger) Catalog(resolver source.FileResolver) ([]pkg.Package, []artifact.Relationship, error) { fileMatches, err := resolver.FilesByGlob(pkg.AlpmDBGlob) diff --git a/syft/pkg/cataloger/cataloger.go b/syft/pkg/cataloger/cataloger.go index 57ddcf5cf33..3170c70ea15 100644 --- a/syft/pkg/cataloger/cataloger.go +++ b/syft/pkg/cataloger/cataloger.go @@ -41,6 +41,8 @@ type Cataloger interface { Name() string // Catalog is given an object to resolve file references and content, this function returns any discovered Packages after analyzing the catalog source. Catalog(resolver source.FileResolver) ([]pkg.Package, []artifact.Relationship, error) + // UsesExternalSources returns if the cataloger uses external sources, such as querying a database + UsesExternalSources() bool } // ImageCatalogers returns a slice of locally implemented catalogers that are fit for detecting installations of packages. @@ -58,7 +60,7 @@ func ImageCatalogers(cfg Config) []Cataloger { golang.NewGoModuleBinaryCataloger(), dotnet.NewDotnetDepsCataloger(), portage.NewPortageCataloger(), - }, cfg.Catalogers) + }, cfg) } // DirectoryCatalogers returns a slice of locally implemented catalogers that are fit for detecting packages from index files (and select installations) @@ -84,7 +86,7 @@ func DirectoryCatalogers(cfg Config) []Cataloger { cpp.NewConanfileCataloger(), portage.NewPortageCataloger(), haskell.NewHackageCataloger(), - }, cfg.Catalogers) + }, cfg) } // AllCatalogers returns all implemented catalogers @@ -114,10 +116,20 @@ func AllCatalogers(cfg Config) []Cataloger { cpp.NewConanfileCataloger(), portage.NewPortageCataloger(), haskell.NewHackageCataloger(), - }, cfg.Catalogers) + }, cfg) } +// RequestedAllCatalogers returns true if all Catalogers have been requested. Takes into account cfg.ExternalSourcesEnabled func RequestedAllCatalogers(cfg Config) bool { + // if external sources are disabled, only return false if there actually are any catalogers that use external sources + if !cfg.ExternalSourcesEnabled { + for _, cat := range AllCatalogers(Config{Catalogers: []string{"all"}, ExternalSourcesEnabled: true}) { + if cat.UsesExternalSources() { + return false + } + } + } + for _, enableCatalogerPattern := range cfg.Catalogers { if enableCatalogerPattern == AllCatalogersPattern { return true @@ -126,14 +138,33 @@ func RequestedAllCatalogers(cfg Config) bool { return false } -func filterCatalogers(catalogers []Cataloger, enabledCatalogerPatterns []string) []Cataloger { +func filterForExternalSources(catalogers []Cataloger, cfg Config) []Cataloger { + if cfg.ExternalSourcesEnabled { + return catalogers + } + + var enabledCatalogers []Cataloger + for _, cataloger := range catalogers { + if !cataloger.UsesExternalSources() { + enabledCatalogers = append(enabledCatalogers, cataloger) + } else { + log.Infof("cataloger %v will not be used because external sources are disabled", cataloger.Name()) + } + } + + return enabledCatalogers +} + +func filterCatalogers(catalogers []Cataloger, cfg Config) []Cataloger { + enabledCatalogerPatterns := cfg.Catalogers + // if cataloger is not set, all applicable catalogers are enabled by default if len(enabledCatalogerPatterns) == 0 { - return catalogers + return filterForExternalSources(catalogers, cfg) } for _, enableCatalogerPattern := range enabledCatalogerPatterns { if enableCatalogerPattern == AllCatalogersPattern { - return catalogers + return filterForExternalSources(catalogers, cfg) } } var keepCatalogers []Cataloger @@ -144,7 +175,7 @@ func filterCatalogers(catalogers []Cataloger, enabledCatalogerPatterns []string) } log.Infof("skipping cataloger %q", cataloger.Name()) } - return keepCatalogers + return filterForExternalSources(keepCatalogers, cfg) } func contains(enabledPartial []string, catalogerName string) bool { diff --git a/syft/pkg/cataloger/cataloger_test.go b/syft/pkg/cataloger/cataloger_test.go index e47944dab82..7b6931804ba 100644 --- a/syft/pkg/cataloger/cataloger_test.go +++ b/syft/pkg/cataloger/cataloger_test.go @@ -1,11 +1,12 @@ package cataloger import ( + "testing" + "github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/pkg" "github.com/anchore/syft/syft/source" "github.com/stretchr/testify/assert" - "testing" ) var _ Cataloger = (*dummy)(nil) @@ -22,12 +23,17 @@ func (d dummy) Catalog(_ source.FileResolver) ([]pkg.Package, []artifact.Relatio panic("not implemented") } +func (d dummy) UsesExternalSources() bool { + return false +} + func Test_filterCatalogers(t *testing.T) { tests := []struct { - name string - patterns []string - catalogers []string - want []string + name string + patterns []string + ExternalSourcesEnabled bool + catalogers []string + want []string }{ { name: "no filtering", @@ -142,6 +148,21 @@ func Test_filterCatalogers(t *testing.T) { "go-module-binary-cataloger", }, }, + { // Note: no catalogers with external sources are currently implemented + name: "external sources enabled", + patterns: []string{"all"}, + ExternalSourcesEnabled: true, + catalogers: []string{ + "ruby-gemspec-cataloger", + "python-package-cataloger", + "rekor-cataloger", + }, + want: []string{ + "ruby-gemspec-cataloger", + "python-package-cataloger", + "rekor-cataloger", + }, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { @@ -149,7 +170,8 @@ func Test_filterCatalogers(t *testing.T) { for _, n := range tt.catalogers { catalogers = append(catalogers, dummy{name: n}) } - got := filterCatalogers(catalogers, tt.patterns) + cfg := Config{Catalogers: tt.patterns, ExternalSourcesEnabled: tt.ExternalSourcesEnabled} + got := filterCatalogers(catalogers, cfg) var gotNames []string for _, g := range got { gotNames = append(gotNames, g.Name()) diff --git a/syft/pkg/cataloger/common/generic_cataloger.go b/syft/pkg/cataloger/common/generic_cataloger.go index 5de3666bffa..beef2ab7409 100644 --- a/syft/pkg/cataloger/common/generic_cataloger.go +++ b/syft/pkg/cataloger/common/generic_cataloger.go @@ -39,6 +39,11 @@ func (c *GenericCataloger) Name() string { return c.upstreamCataloger } +// UsesExternalSources indicates that any GenericCatalogor does not use external sources +func (c *GenericCataloger) UsesExternalSources() bool { + return false +} + // Catalog is given an object to resolve file references and content, this function returns any discovered Packages after analyzing the catalog source. func (c *GenericCataloger) Catalog(resolver source.FileResolver) ([]pkg.Package, []artifact.Relationship, error) { var packages []pkg.Package diff --git a/syft/pkg/cataloger/config.go b/syft/pkg/cataloger/config.go index 478fc292d11..20920b86ff5 100644 --- a/syft/pkg/cataloger/config.go +++ b/syft/pkg/cataloger/config.go @@ -5,8 +5,9 @@ import ( ) type Config struct { - Search SearchConfig - Catalogers []string + Search SearchConfig + Catalogers []string + ExternalSourcesEnabled bool } func DefaultConfig() Config { diff --git a/syft/pkg/cataloger/deb/cataloger.go b/syft/pkg/cataloger/deb/cataloger.go index 4b9146fd73b..c341f4ccc1b 100644 --- a/syft/pkg/cataloger/deb/cataloger.go +++ b/syft/pkg/cataloger/deb/cataloger.go @@ -36,6 +36,11 @@ func (c *Cataloger) Name() string { return "dpkgdb-cataloger" } +// UsesExternalSources indicates that the dpkgdb cataloger does not use external sources +func (c *Cataloger) UsesExternalSources() bool { + return false +} + // Catalog is given an object to resolve file references and content, this function returns any discovered Packages after analyzing dpkg support files. func (c *Cataloger) Catalog(resolver source.FileResolver) ([]pkg.Package, []artifact.Relationship, error) { dbFileMatches, err := resolver.FilesByGlob(pkg.DpkgDBGlob) diff --git a/syft/pkg/cataloger/golang/binary_cataloger.go b/syft/pkg/cataloger/golang/binary_cataloger.go index 494c7da86c2..f6917e942d3 100644 --- a/syft/pkg/cataloger/golang/binary_cataloger.go +++ b/syft/pkg/cataloger/golang/binary_cataloger.go @@ -28,6 +28,11 @@ func (c *Cataloger) Name() string { return catalogerName } +// UsesExternalSources indicates that the golang binary cataloger does not use external sources +func (c *Cataloger) UsesExternalSources() bool { + return false +} + // Catalog is given an object to resolve file references and content, this function returns any discovered Packages after analyzing rpm db installation. func (c *Cataloger) Catalog(resolver source.FileResolver) ([]pkg.Package, []artifact.Relationship, error) { var pkgs []pkg.Package diff --git a/syft/pkg/cataloger/portage/cataloger.go b/syft/pkg/cataloger/portage/cataloger.go index a8cd5b79646..632e986e9ab 100644 --- a/syft/pkg/cataloger/portage/cataloger.go +++ b/syft/pkg/cataloger/portage/cataloger.go @@ -37,6 +37,11 @@ func (c *Cataloger) Name() string { return "portage-cataloger" } +// UsesExternalSources indicates that the portage cataloger does not use external sources +func (c *Cataloger) UsesExternalSources() bool { + return false +} + // Catalog is given an object to resolve file references and content, this function returns any discovered Packages after analyzing portage support files. func (c *Cataloger) Catalog(resolver source.FileResolver) ([]pkg.Package, []artifact.Relationship, error) { dbFileMatches, err := resolver.FilesByGlob(pkg.PortageDBGlob) diff --git a/syft/pkg/cataloger/python/package_cataloger.go b/syft/pkg/cataloger/python/package_cataloger.go index d58fe7ccd3b..983d5969d88 100644 --- a/syft/pkg/cataloger/python/package_cataloger.go +++ b/syft/pkg/cataloger/python/package_cataloger.go @@ -33,6 +33,11 @@ func (c *PackageCataloger) Name() string { return "python-package-cataloger" } +// UsesExternalSources indicates that the python package cataloger does not use external sources +func (c *PackageCataloger) UsesExternalSources() bool { + return false +} + // Catalog is given an object to resolve file references and content, this function returns any discovered Packages after analyzing python egg and wheel installations. func (c *PackageCataloger) Catalog(resolver source.FileResolver) ([]pkg.Package, []artifact.Relationship, error) { var fileMatches []source.Location diff --git a/syft/pkg/cataloger/rpmdb/cataloger.go b/syft/pkg/cataloger/rpmdb/cataloger.go index 74fdbfebb64..67425802bbb 100644 --- a/syft/pkg/cataloger/rpmdb/cataloger.go +++ b/syft/pkg/cataloger/rpmdb/cataloger.go @@ -27,6 +27,11 @@ func (c *Cataloger) Name() string { return catalogerName } +// UsesExternalSources indicates that the rpmdb cataloger does not use external sources +func (c *Cataloger) UsesExternalSources() bool { + return false +} + // Catalog is given an object to resolve file references and content, this function returns any discovered Packages after analyzing rpm db installation. func (c *Cataloger) Catalog(resolver source.FileResolver) ([]pkg.Package, []artifact.Relationship, error) { fileMatches, err := resolver.FilesByGlob(pkg.RpmDBGlob) diff --git a/syft/pkg/cataloger/rust/audit_binary_cataloger.go b/syft/pkg/cataloger/rust/audit_binary_cataloger.go index eeab99cf1d2..1508aebdb8f 100644 --- a/syft/pkg/cataloger/rust/audit_binary_cataloger.go +++ b/syft/pkg/cataloger/rust/audit_binary_cataloger.go @@ -27,6 +27,11 @@ func (c *Cataloger) Name() string { return catalogerName } +// UsesExternalSources indicates that the audit binary cataloger does not use external sources +func (c *Cataloger) UsesExternalSources() bool { + return false +} + // Catalog identifies executables then attempts to read Rust dependency information from them func (c *Cataloger) Catalog(resolver source.FileResolver) ([]pkg.Package, []artifact.Relationship, error) { var pkgs []pkg.Package From c56d3b5eef9d5de4617953ac9647b97165df9725 Mon Sep 17 00:00:00 2001 From: cpendery <35637443+cpendery@users.noreply.github.com> Date: Mon, 22 Aug 2022 08:23:44 -0700 Subject: [PATCH 6/9] feat: add support for licenses in package-lock json v2 (#1164) --- syft/pkg/cataloger/javascript/cataloger.go | 2 +- .../javascript/parse_package_lock.go | 26 ++++++- .../javascript/parse_package_lock_test.go | 44 ++++++++++++ .../pkg-lock/package-lock-2.json | 71 +++++++++++++++++++ 4 files changed, 141 insertions(+), 2 deletions(-) create mode 100644 syft/pkg/cataloger/javascript/test-fixtures/pkg-lock/package-lock-2.json diff --git a/syft/pkg/cataloger/javascript/cataloger.go b/syft/pkg/cataloger/javascript/cataloger.go index 3853c51f890..cefbaccb570 100644 --- a/syft/pkg/cataloger/javascript/cataloger.go +++ b/syft/pkg/cataloger/javascript/cataloger.go @@ -77,7 +77,7 @@ func addLicenses(resolver source.FileResolver, location source.Location, p *pkg. return nil } - p.Licenses = licenses + p.Licenses = append(p.Licenses, licenses...) } return nil diff --git a/syft/pkg/cataloger/javascript/parse_package_lock.go b/syft/pkg/cataloger/javascript/parse_package_lock.go index 30c2897b02c..5b98135bc6a 100644 --- a/syft/pkg/cataloger/javascript/parse_package_lock.go +++ b/syft/pkg/cataloger/javascript/parse_package_lock.go @@ -4,6 +4,7 @@ import ( "encoding/json" "fmt" "io" + "strings" "github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/pkg" @@ -18,6 +19,7 @@ type PackageLock struct { Requires bool `json:"requires"` LockfileVersion int `json:"lockfileVersion"` Dependencies map[string]Dependency + Packages map[string]Package } // Dependency represents a single package dependency listed in the package.lock json file @@ -25,7 +27,13 @@ type Dependency struct { Version string `json:"version"` Resolved string `json:"resolved"` Integrity string `json:"integrity"` - Requires map[string]string +} + +type Package struct { + Version string `json:"version"` + Resolved string `json:"resolved"` + Integrity string `json:"integrity"` + License string `json:""` } // parsePackageLock parses a package-lock.json and returns the discovered JavaScript packages. @@ -46,12 +54,28 @@ func parsePackageLock(path string, reader io.Reader) ([]*pkg.Package, []artifact } else if err != nil { return nil, nil, fmt.Errorf("failed to parse package-lock.json file: %w", err) } + licenseMap := make(map[string]string) + for _, pkgMeta := range lock.Packages { + var sb strings.Builder + sb.WriteString(pkgMeta.Resolved) + sb.WriteString(pkgMeta.Integrity) + licenseMap[sb.String()] = pkgMeta.License + } + for name, pkgMeta := range lock.Dependencies { + var sb strings.Builder + sb.WriteString(pkgMeta.Resolved) + sb.WriteString(pkgMeta.Integrity) + var licenses []string + if license, exists := licenseMap[sb.String()]; exists { + licenses = append(licenses, license) + } packages = append(packages, &pkg.Package{ Name: name, Version: pkgMeta.Version, Language: pkg.JavaScript, Type: pkg.NpmPkg, + Licenses: licenses, }) } } diff --git a/syft/pkg/cataloger/javascript/parse_package_lock_test.go b/syft/pkg/cataloger/javascript/parse_package_lock_test.go index a809441d9a2..c280a61cb51 100644 --- a/syft/pkg/cataloger/javascript/parse_package_lock_test.go +++ b/syft/pkg/cataloger/javascript/parse_package_lock_test.go @@ -111,3 +111,47 @@ func TestParsePackageLock(t *testing.T) { assertPkgsEqual(t, actual, expected) } + +func TestParsePackageLockV2(t *testing.T) { + expected := map[string]pkg.Package{ + "@types/prop-types": { + Name: "@types/prop-types", + Version: "15.7.5", + Language: pkg.JavaScript, + Type: pkg.NpmPkg, + Licenses: []string{"MIT"}, + }, + "@types/react": { + Name: "@types/prop-types", + Version: "18.0.17", + Language: pkg.JavaScript, + Type: pkg.NpmPkg, + Licenses: []string{"MIT"}, + }, + "@types/scheduler": { + Name: "@types/scheduler", + Version: "0.16.2", + Language: pkg.JavaScript, + Type: pkg.NpmPkg, + Licenses: []string{"MIT"}, + }, + "csstype": { + Name: "csstype", + Version: "3.1.0", + Language: pkg.JavaScript, + Type: pkg.NpmPkg, + Licenses: []string{"MIT"}, + }, + } + fixture, err := os.Open("test-fixtures/pkg-lock/package-lock-2.json") + if err != nil { + t.Fatalf("failed to open fixture: %+v", err) + } + + actual, _, err := parsePackageLock(fixture.Name(), fixture) + if err != nil { + t.Fatalf("failed to parse package-lock.json: %+v", err) + } + + assertPkgsEqual(t, actual, expected) +} diff --git a/syft/pkg/cataloger/javascript/test-fixtures/pkg-lock/package-lock-2.json b/syft/pkg/cataloger/javascript/test-fixtures/pkg-lock/package-lock-2.json new file mode 100644 index 00000000000..2373f27ca0a --- /dev/null +++ b/syft/pkg/cataloger/javascript/test-fixtures/pkg-lock/package-lock-2.json @@ -0,0 +1,71 @@ +{ + "name": "npm", + "version": "6.14.6", + "lockfileVersion": 2, + "requires": true, + "packages": { + "": { + "name": "npm", + "version": "6.14.6", + "dependencies": { + "@types/react": "^18.0.9" + } + }, + "node_modules/@types/prop-types": { + "version": "15.7.5", + "resolved": "https://registry.npmjs.org/@types/prop-types/-/prop-types-15.7.5.tgz", + "integrity": "sha1-XxnSuFqY6VWANvajysyIGUIPBc8=", + "license": "MIT" + }, + "node_modules/@types/react": { + "version": "18.0.17", + "resolved": "https://registry.npmjs.org/@types/react/-/react-18.0.17.tgz", + "integrity": "sha1-RYPZwyLWfv5LOak10iPtzHBQzPQ=", + "license": "MIT", + "dependencies": { + "@types/prop-types": "*", + "@types/scheduler": "*", + "csstype": "^3.0.2" + } + }, + "node_modules/@types/scheduler": { + "version": "0.16.2", + "resolved": "https://registry.npmjs.org/@types/scheduler/-/scheduler-0.16.2.tgz", + "integrity": "sha1-GmL4lSVyPd4kuhsBsJK/XfitTTk=", + "license": "MIT" + }, + "node_modules/csstype": { + "version": "3.1.0", + "resolved": "https://registry.npmjs.org/csstype/-/csstype-3.1.0.tgz", + "integrity": "sha1-TdysNxjXh8+d8NG30VAzklyPKfI=", + "license": "MIT" + } + }, + "dependencies": { + "@types/prop-types": { + "version": "15.7.5", + "resolved": "https://registry.npmjs.org/@types/prop-types/-/prop-types-15.7.5.tgz", + "integrity": "sha1-XxnSuFqY6VWANvajysyIGUIPBc8=" + }, + "@types/react": { + "version": "18.0.17", + "resolved": "https://registry.npmjs.org/@types/react/-/react-18.0.17.tgz", + "integrity": "sha1-RYPZwyLWfv5LOak10iPtzHBQzPQ=", + "requires": { + "@types/prop-types": "*", + "@types/scheduler": "*", + "csstype": "^3.0.2" + } + }, + "@types/scheduler": { + "version": "0.16.2", + "resolved": "https://registry.npmjs.org/@types/scheduler/-/scheduler-0.16.2.tgz", + "integrity": "sha1-GmL4lSVyPd4kuhsBsJK/XfitTTk=" + }, + "csstype": { + "version": "3.1.0", + "resolved": "https://registry.npmjs.org/csstype/-/csstype-3.1.0.tgz", + "integrity": "sha1-TdysNxjXh8+d8NG30VAzklyPKfI=" + } + } +} From 5282820b5d035b53f9af0f757f0e0ada38edccf6 Mon Sep 17 00:00:00 2001 From: Weston Steimel Date: Mon, 22 Aug 2022 15:28:24 +0000 Subject: [PATCH 7/9] workflow to create automated PRs to update bootstrap tools (#1167) --- .github/workflows/update-bootstrap-tools.yml | 75 ++++++++++++++++++++ Makefile | 18 +++-- 2 files changed, 87 insertions(+), 6 deletions(-) create mode 100644 .github/workflows/update-bootstrap-tools.yml diff --git a/.github/workflows/update-bootstrap-tools.yml b/.github/workflows/update-bootstrap-tools.yml new file mode 100644 index 00000000000..3982ffbf5bd --- /dev/null +++ b/.github/workflows/update-bootstrap-tools.yml @@ -0,0 +1,75 @@ +name: PR for latest versions of bootstrap tools +on: + schedule: + - cron: "0 8 * * *" # 3 AM EST + + workflow_dispatch: + +env: + GO_VERSION: "1.18.x" + GO_STABLE_VERSION: true + +jobs: + update-bootstrap-tools: + runs-on: ubuntu-latest + if: github.repository == 'anchore/syft' # only run for main repo + steps: + - uses: actions/checkout@v3 + + - uses: actions/setup-go@v2 + with: + go-version: ${{ env.GO_VERSION }} + stable: ${{ env.GO_STABLE_VERSION }} + + - run: | + GOLANGCILINT_LATEST_VERSION=$(go list -m -json github.com/golangci/golangci-lint@latest 2>/dev/null | jq -r '.Version') + BOUNCER_LATEST_VERSION=$(go list -m -json github.com/wagoodman/go-bouncer@latest 2>/dev/null | jq -r '.Version') + CHRONICLE_LATEST_VERSION=$(go list -m -json github.com/anchore/chronicle@latest 2>/dev/null | jq -r '.Version') + GORELEASER_LATEST_VERSION=$(go list -m -json github.com/goreleaser/goreleaser@latest 2>/dev/null | jq -r '.Version') + YAJSV_LATEST_VERSION=$(go list -m -json github.com/neilpa/yajsv@latest 2>/dev/null | jq -r '.Version') + COSIGN_LATEST_VERSION=$(go list -m -json github.com/sigstore/cosign@latest 2>/dev/null | jq -r '.Version') + + # update version variables in the Makefile + sed -r -i -e 's/^(GOLANGCILINT_VERSION = ).*/\1'${GOLANGCILINT_LATEST_VERSION}'/' Makefile + sed -r -i -e 's/^(BOUNCER_VERSION = ).*/\1'${BOUNCER_LATEST_VERSION}'/' Makefile + sed -r -i -e 's/^(CHRONICLE_VERSION = ).*/\1'${CHRONICLE_LATEST_VERSION}'/' Makefile + sed -r -i -e 's/^(GORELEASER_VERSION = ).*/\1'${GORELEASER_LATEST_VERSION}'/' Makefile + sed -r -i -e 's/^(YAJSV_VERSION = ).*/\1'${YAJSV_LATEST_VERSION}'/' Makefile + sed -r -i -e 's/^(COSIGN_VERSION = ).*/\1'${COSIGN_LATEST_VERSION}'/' Makefile + + # update cosign in go.mod as well + go get github.com/sigstore/cosign@$COSIGN_LATEST_VERSION + go mod tidy + + # export the versions for use with create-pull-request + echo "::set-output name=GOLANGCILINT::$GOLANGCILINT_LATEST_VERSION" + echo "::set-output name=BOUNCER::BOUNCER_LATEST_VERSION" + echo "::set-output name=CHRONICLE::CHRONICLE_LATEST_VERSION" + echo "::set-output name=GORELEASER::GORELEASER_LATEST_VERSION" + echo "::set-output name=YAJSV::YAJSV_LATEST_VERSION" + echo "::set-output name=COSIGN::COSIGN_LATEST_VERSION" + id: latest-versions + + - uses: tibdex/github-app-token@v1 + id: generate-token + with: + app_id: ${{ secrets.TOKEN_APP_ID }} + private_key: ${{ secrets.TOKEN_APP_PRIVATE_KEY }} + + - uses: peter-evans/create-pull-request@v4 + with: + signoff: true + delete-branch: true + branch: auto/latest-bootstrap-tools + labels: dependencies + commit-message: 'Update syft bootstrap tools to latest versions.' + title: 'Update syft bootstrap tools to latest versions.' + body: | + - [golangci-lint ${{ steps.latest-versions.outputs.GOLANGCILINT }}](https://github.com/golangci/golangci-lint/releases/tag/${{ steps.latest-versions.outputs.GOLANGCILINT }}) + - [bouncer ${{ steps.latest-versions.outputs.BOUNCER }}](https://github.com/wagoodman/go-bouncer/releases/tag/${{ steps.latest-versions.outputs.BOUNCER }}) + - [chronicle ${{ steps.latest-versions.outputs.CHRONICLE }}](https://github.com/anchore/chronicle/releases/tag/${{ steps.latest-versions.outputs.CHRONICLE }}) + - [goreleaser ${{ steps.latest-versions.outputs.GORELEASER }}](https://github.com/goreleaser/goreleaser/releases/tag/${{ steps.latest-versions.outputs.GORELEASER }}) + - [yajsv ${{ steps.latest-versions.outputs.YAJSV }}](https://github.com/neilpa/yajsv/releases/tag/${{ steps.latest-versions.outputs.YAJSV }}) + - [cosign ${{ steps.latest-versions.outputs.COSIGN }}](https://github.com/sigstore/cosign/releases/tag/${{ steps.latest-versions.outputs.COSIGN }}) + This is an auto-generated pull request to update all of the bootstrap tools to the latest versions. + token: ${{ steps.generate-token.outputs.token }} \ No newline at end of file diff --git a/Makefile b/Makefile index c1d20c24a7f..1d17d6f139a 100644 --- a/Makefile +++ b/Makefile @@ -9,6 +9,12 @@ SNAPSHOT_CMD=$(RELEASE_CMD) --skip-publish --snapshot VERSION=$(shell git describe --dirty --always --tags) COMPARE_TEST_IMAGE = centos:8.2.2004 COMPARE_DIR = ./test/compare +GOLANGCILINT_VERSION = v1.47.2 +BOUNCER_VERSION = v0.4.0 +CHRONICLE_VERSION = v0.3.0 +GORELEASER_VERSION = v1.10.3 +YAJSV_VERSION = v1.4.0 +COSIGN_VERSION = v1.10.0 # formatting variables BOLD := $(shell tput -T linux bold) @@ -106,12 +112,12 @@ $(TEMPDIR): .PHONY: bootstrap-tools bootstrap-tools: $(TEMPDIR) GO111MODULE=off GOBIN=$(shell realpath $(TEMPDIR)) go get -u golang.org/x/perf/cmd/benchstat - curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(TEMPDIR)/ v1.47.2 - curl -sSfL https://raw.githubusercontent.com/wagoodman/go-bouncer/master/bouncer.sh | sh -s -- -b $(TEMPDIR)/ v0.4.0 - curl -sSfL https://raw.githubusercontent.com/anchore/chronicle/main/install.sh | sh -s -- -b $(TEMPDIR)/ v0.3.0 - .github/scripts/goreleaser-install.sh -d -b $(TEMPDIR)/ v1.10.3 - GOBIN="$(shell realpath $(TEMPDIR))" go install github.com/neilpa/yajsv@v1.4.0 - GOBIN="$(shell realpath $(TEMPDIR))" go install github.com/sigstore/cosign/cmd/cosign@v1.10.0 + curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(TEMPDIR)/ $(GOLANGCILINT_VERSION) + curl -sSfL https://raw.githubusercontent.com/wagoodman/go-bouncer/master/bouncer.sh | sh -s -- -b $(TEMPDIR)/ $(BOUNCER_VERSION) + curl -sSfL https://raw.githubusercontent.com/anchore/chronicle/main/install.sh | sh -s -- -b $(TEMPDIR)/ $(CHRONICLE_VERSION) + .github/scripts/goreleaser-install.sh -d -b $(TEMPDIR)/ $(GORELEASER_VERSION) + GOBIN="$(shell realpath $(TEMPDIR))" go install github.com/neilpa/yajsv@$(YAJSV_VERSION) + GOBIN="$(shell realpath $(TEMPDIR))" go install github.com/sigstore/cosign/cmd/cosign@$(COSIGN_VERSION) .PHONY: bootstrap-go bootstrap-go: From 6949a2500f4763e89711630e5be3f834df633caf Mon Sep 17 00:00:00 2001 From: Weston Steimel Date: Mon, 22 Aug 2022 16:17:28 +0000 Subject: [PATCH 8/9] Fix update-bootstrap-tools workflow (#1170) --- .github/workflows/update-bootstrap-tools.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/update-bootstrap-tools.yml b/.github/workflows/update-bootstrap-tools.yml index 3982ffbf5bd..8d46bce6d6c 100644 --- a/.github/workflows/update-bootstrap-tools.yml +++ b/.github/workflows/update-bootstrap-tools.yml @@ -43,11 +43,11 @@ jobs: # export the versions for use with create-pull-request echo "::set-output name=GOLANGCILINT::$GOLANGCILINT_LATEST_VERSION" - echo "::set-output name=BOUNCER::BOUNCER_LATEST_VERSION" - echo "::set-output name=CHRONICLE::CHRONICLE_LATEST_VERSION" - echo "::set-output name=GORELEASER::GORELEASER_LATEST_VERSION" - echo "::set-output name=YAJSV::YAJSV_LATEST_VERSION" - echo "::set-output name=COSIGN::COSIGN_LATEST_VERSION" + echo "::set-output name=BOUNCER::$BOUNCER_LATEST_VERSION" + echo "::set-output name=CHRONICLE::$CHRONICLE_LATEST_VERSION" + echo "::set-output name=GORELEASER::$GORELEASER_LATEST_VERSION" + echo "::set-output name=YAJSV::$YAJSV_LATEST_VERSION" + echo "::set-output name=COSIGN::$COSIGN_LATEST_VERSION" id: latest-versions - uses: tibdex/github-app-token@v1 From b0fc955e0c406a12d8aaddcd8ececda89cbcddce Mon Sep 17 00:00:00 2001 From: "anchore-actions-token-generator[bot]" <102182147+anchore-actions-token-generator[bot]@users.noreply.github.com> Date: Tue, 23 Aug 2022 20:36:59 +0100 Subject: [PATCH 9/9] Update syft bootstrap tools to latest versions. (#1171) * Update syft bootstrap tools to latest versions. Signed-off-by: GitHub Signed-off-by: Weston Steimel Co-authored-by: Weston Steimel --- Makefile | 6 +- cmd/syft/cli/commands.go | 3 +- cmd/syft/cli/eventloop/event_loop.go | 3 +- go.mod | 69 ++++----- go.sum | 145 ++++++++++-------- internal/anchore/import.go | 2 +- internal/anchore/import_config.go | 2 +- internal/anchore/import_manifest.go | 2 +- internal/config/registry.go | 2 +- internal/file/zip_read_closer.go | 3 +- internal/formats/common/property_encoder.go | 2 +- .../formats/spdx22tagvalue/to_format_model.go | 6 +- internal/formats/syftjson/model/package.go | 2 +- syft/event/event.go | 2 +- syft/lib.go | 6 +- syft/pkg/cataloger/alpm/parse_alpm_db.go | 2 +- syft/pkg/cataloger/apkdb/parse_apk_db.go | 3 +- syft/pkg/cataloger/java/archive_filename.go | 19 +-- .../pkg/cataloger/java/parse_java_manifest.go | 3 +- syft/pkg/cataloger/python/parse_setup.go | 7 +- ui/event_handlers.go | 9 +- 21 files changed, 161 insertions(+), 137 deletions(-) diff --git a/Makefile b/Makefile index 1d17d6f139a..d0c74098be0 100644 --- a/Makefile +++ b/Makefile @@ -9,12 +9,12 @@ SNAPSHOT_CMD=$(RELEASE_CMD) --skip-publish --snapshot VERSION=$(shell git describe --dirty --always --tags) COMPARE_TEST_IMAGE = centos:8.2.2004 COMPARE_DIR = ./test/compare -GOLANGCILINT_VERSION = v1.47.2 +GOLANGCILINT_VERSION = v1.48.0 BOUNCER_VERSION = v0.4.0 -CHRONICLE_VERSION = v0.3.0 +CHRONICLE_VERSION = v0.4.1 GORELEASER_VERSION = v1.10.3 YAJSV_VERSION = v1.4.0 -COSIGN_VERSION = v1.10.0 +COSIGN_VERSION = v1.11.0 # formatting variables BOLD := $(shell tput -T linux bold) diff --git a/cmd/syft/cli/commands.go b/cmd/syft/cli/commands.go index e4663de8157..4a1b1cfa431 100644 --- a/cmd/syft/cli/commands.go +++ b/cmd/syft/cli/commands.go @@ -31,7 +31,8 @@ const indent = " " // at this level. Values from the config should only be used after `app.LoadAllValues` has been called. // Cobra does not have knowledge of the user provided flags until the `RunE` block of each command. // `RunE` is the earliest that the complete application configuration can be loaded. -// nolint:funlen +// +//nolint:funlen func New() (*cobra.Command, error) { app := &config.Application{} diff --git a/cmd/syft/cli/eventloop/event_loop.go b/cmd/syft/cli/eventloop/event_loop.go index c369dc0c9f3..396dd74919f 100644 --- a/cmd/syft/cli/eventloop/event_loop.go +++ b/cmd/syft/cli/eventloop/event_loop.go @@ -14,7 +14,8 @@ import ( // eventLoop listens to worker errors (from execution path), worker events (from a partybus subscription), and // signal interrupts. Is responsible for handling each event relative to a given UI an to coordinate eventing until // an eventual graceful exit. -// nolint:funlen +// +//nolint:funlen func EventLoop(workerErrs <-chan error, signals <-chan os.Signal, subscription *partybus.Subscription, cleanupFn func(), uxs ...ui.UI) error { defer cleanupFn() events := subscription.Events() diff --git a/go.mod b/go.mod index b801cd8b752..1ae2e7f2408 100644 --- a/go.mod +++ b/go.mod @@ -49,8 +49,8 @@ require ( github.com/x-cray/logrus-prefixed-formatter v0.5.2 github.com/xeipuuv/gojsonschema v1.2.0 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 - golang.org/x/net v0.0.0-20220708220712-1185a9018129 - golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 + golang.org/x/net v0.0.0-20220805013720-a33c5aa5df48 + golang.org/x/term v0.0.0-20220526004731-065cf7ba2467 gopkg.in/yaml.v2 v2.4.0 ) @@ -60,9 +60,9 @@ require ( github.com/google/go-containerregistry v0.11.0 github.com/in-toto/in-toto-golang v0.3.4-0.20220709202702-fa494aaa0add github.com/knqyf263/go-rpmdb v0.0.0-20220629110411-9a3bd2ebb923 - github.com/sigstore/cosign v1.10.1 - github.com/sigstore/rekor v0.9.1 - github.com/sigstore/sigstore v1.2.1-0.20220614141825-9c0e2e247545 + github.com/sigstore/cosign v1.11.0 + github.com/sigstore/rekor v0.10.0 + github.com/sigstore/sigstore v1.4.0 github.com/vbatts/go-mtree v0.5.0 gopkg.in/yaml.v3 v3.0.1 ) @@ -70,10 +70,10 @@ require ( require ( bitbucket.org/creachadair/shell v0.0.7 // indirect cloud.google.com/go/compute v1.7.0 // indirect - github.com/Azure/azure-sdk-for-go v65.0.0+incompatible // indirect + github.com/Azure/azure-sdk-for-go v66.0.0+incompatible // indirect github.com/Azure/go-autorest v14.2.0+incompatible // indirect - github.com/Azure/go-autorest/autorest v0.11.27 // indirect - github.com/Azure/go-autorest/autorest/adal v0.9.18 // indirect + github.com/Azure/go-autorest/autorest v0.11.28 // indirect + github.com/Azure/go-autorest/autorest/adal v0.9.20 // indirect github.com/Azure/go-autorest/autorest/azure/auth v0.5.11 // indirect github.com/Azure/go-autorest/autorest/azure/cli v0.4.5 // indirect github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect @@ -86,19 +86,19 @@ require ( github.com/PaesslerAG/jsonpath v0.1.1 // indirect github.com/ThalesIgnite/crypto11 v1.2.5 // indirect github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect - github.com/aws/aws-sdk-go-v2 v1.16.5 // indirect - github.com/aws/aws-sdk-go-v2/config v1.15.10 // indirect - github.com/aws/aws-sdk-go-v2/credentials v1.12.5 // indirect - github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.6 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.12 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.6 // indirect - github.com/aws/aws-sdk-go-v2/internal/ini v1.3.13 // indirect + github.com/aws/aws-sdk-go-v2 v1.16.11 // indirect + github.com/aws/aws-sdk-go-v2/config v1.17.0 // indirect + github.com/aws/aws-sdk-go-v2/credentials v1.12.13 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.12 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.18 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.12 // indirect + github.com/aws/aws-sdk-go-v2/internal/ini v1.3.19 // indirect github.com/aws/aws-sdk-go-v2/service/ecr v1.15.0 // indirect github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.12.0 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.6 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.11.8 // indirect - github.com/aws/aws-sdk-go-v2/service/sts v1.16.7 // indirect - github.com/aws/smithy-go v1.11.3 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.12 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.11.16 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.16.13 // indirect + github.com/aws/smithy-go v1.12.1 // indirect github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20220517224237-e6f29200ae04 // indirect github.com/benbjohnson/clock v1.1.0 // indirect github.com/beorn7/perks v1.0.1 // indirect @@ -131,7 +131,6 @@ require ( github.com/fsnotify/fsnotify v1.5.4 // indirect github.com/fullstorydev/grpcurl v1.8.6 // indirect github.com/gabriel-vasile/mimetype v1.4.0 // indirect - github.com/ghodss/yaml v1.0.0 // indirect github.com/go-chi/chi v4.1.2+incompatible // indirect github.com/go-logr/logr v1.2.3 // indirect github.com/go-logr/stdr v1.2.2 // indirect @@ -143,16 +142,16 @@ require ( github.com/go-openapi/runtime v0.24.1 // indirect github.com/go-openapi/spec v0.20.6 // indirect github.com/go-openapi/strfmt v0.21.3 // indirect - github.com/go-openapi/swag v0.21.1 // indirect + github.com/go-openapi/swag v0.22.1 // indirect github.com/go-openapi/validate v0.22.0 // indirect - github.com/go-piv/piv-go v1.9.0 // indirect + github.com/go-piv/piv-go v1.10.0 // indirect github.com/go-playground/locales v0.14.0 // indirect github.com/go-playground/universal-translator v0.18.0 // indirect github.com/go-playground/validator/v10 v10.11.0 // indirect github.com/go-restruct/restruct v1.2.0-alpha // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang-jwt/jwt v3.2.2+incompatible // indirect - github.com/golang-jwt/jwt/v4 v4.3.0 // indirect + github.com/golang-jwt/jwt/v4 v4.4.2 // indirect github.com/golang/glog v1.0.0 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/mock v1.6.0 // indirect @@ -181,7 +180,7 @@ require ( github.com/imdario/mergo v0.3.12 // indirect github.com/inconshreveable/mousetrap v1.0.0 // indirect github.com/jedisct1/go-minisign v0.0.0-20211028175153-1c139d1cc84b // indirect - github.com/jhump/protoreflect v1.10.3 // indirect + github.com/jhump/protoreflect v1.12.0 // indirect github.com/jmespath/go-jmespath v0.4.0 // indirect github.com/jonboulle/clockwork v0.3.0 // indirect github.com/josharian/intern v1.0.0 // indirect @@ -190,7 +189,7 @@ require ( github.com/klauspost/compress v1.15.8 // indirect github.com/klauspost/pgzip v1.2.5 // indirect github.com/leodido/go-urn v1.2.1 // indirect - github.com/letsencrypt/boulder v0.0.0-20220331220046-b23ab962616e // indirect + github.com/letsencrypt/boulder v0.0.0-20220723181115-27de4befb95e // indirect github.com/logrusorgru/aurora v0.0.0-20200102142835-e9ef32dff381 // indirect github.com/magiconair/properties v1.8.6 // indirect github.com/mailru/easyjson v0.7.7 // indirect @@ -244,7 +243,7 @@ require ( github.com/ulikunitz/xz v0.5.10 // indirect github.com/urfave/cli v1.22.7 // indirect github.com/vbatts/tar-split v0.11.2 // indirect - github.com/xanzy/go-gitlab v0.70.0 // indirect + github.com/xanzy/go-gitlab v0.72.0 // indirect github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 // indirect @@ -273,19 +272,19 @@ require ( go.opentelemetry.io/otel/sdk v1.7.0 // indirect go.opentelemetry.io/otel/trace v1.7.0 // indirect go.opentelemetry.io/proto/otlp v0.16.0 // indirect - go.uber.org/atomic v1.9.0 // indirect + go.uber.org/atomic v1.10.0 // indirect go.uber.org/multierr v1.8.0 // indirect go.uber.org/zap v1.21.0 // indirect - golang.org/x/oauth2 v0.0.0-20220718184931-c8730f7fcb92 // indirect - golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f // indirect - golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 // indirect + golang.org/x/oauth2 v0.0.0-20220722155238-128564f6959c // indirect + golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4 // indirect + golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10 // indirect golang.org/x/text v0.3.7 // indirect - golang.org/x/time v0.0.0-20220411224347-583f2d630306 // indirect + golang.org/x/time v0.0.0-20220722155302-e5dcc9cfc0b9 // indirect golang.org/x/tools v0.1.11 // indirect golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f // indirect - google.golang.org/api v0.91.0 // indirect + google.golang.org/api v0.92.0 // indirect google.golang.org/appengine v1.6.7 // indirect - google.golang.org/genproto v0.0.0-20220624142145-8cd45d7dbd1f // indirect + google.golang.org/genproto v0.0.0-20220720214146-176da50484ac // indirect google.golang.org/grpc v1.48.0 // indirect google.golang.org/protobuf v1.28.1 // indirect gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect @@ -310,7 +309,7 @@ require ( modernc.org/strutil v1.1.1 // indirect modernc.org/token v1.0.0 // indirect sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 // indirect - sigs.k8s.io/release-utils v0.7.1 // indirect + sigs.k8s.io/release-utils v0.7.3 // indirect sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect sigs.k8s.io/yaml v1.3.0 // indirect ) @@ -320,7 +319,7 @@ require ( // go: warning: github.com/andybalholm/brotli@v1.0.1: retracted by module author: occasional panics and data corruption github.com/andybalholm/brotli v1.0.4 // indirect github.com/pkg/errors v0.9.1 - golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d // indirect + golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa // indirect ) retract ( diff --git a/go.sum b/go.sum index ef931dce5dd..c9e1a59f089 100644 --- a/go.sum +++ b/go.sum @@ -105,8 +105,8 @@ github.com/Azure/azure-sdk-for-go v29.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9mo github.com/Azure/azure-sdk-for-go v30.1.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/azure-sdk-for-go v46.4.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/azure-sdk-for-go v60.3.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= -github.com/Azure/azure-sdk-for-go v65.0.0+incompatible h1:HzKLt3kIwMm4KeJYTdx9EbjRYTySD/t8i1Ee/W5EGXw= -github.com/Azure/azure-sdk-for-go v65.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/azure-sdk-for-go v66.0.0+incompatible h1:bmmC38SlE8/E81nNADlgmVGurPWMHDX2YNXVQMrBpEE= +github.com/Azure/azure-sdk-for-go v66.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/azure-service-bus-go v0.9.1/go.mod h1:yzBx6/BUGfjfeqbRZny9AQIbIe3AcV9WZbAdpkoXOa0= github.com/Azure/azure-storage-blob-go v0.8.0/go.mod h1:lPI3aLPpuLTeUwh1sViKXFxwl2B6teiRqI0deQUvsw0= github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8= @@ -122,16 +122,17 @@ github.com/Azure/go-autorest/autorest v0.11.18/go.mod h1:dSiJPy22c3u0OtOKDNttNgq github.com/Azure/go-autorest/autorest v0.11.19/go.mod h1:dSiJPy22c3u0OtOKDNttNgqpNFY/GeWa7GH/Pz56QRA= github.com/Azure/go-autorest/autorest v0.11.22/go.mod h1:BAWYUWGPEtKPzjVkp0Q6an0MJcJDsoh5Z1BFAEFs4Xs= github.com/Azure/go-autorest/autorest v0.11.24/go.mod h1:G6kyRlFnTuSbEYkQGawPfsCswgme4iYf6rfSKUDzbCc= -github.com/Azure/go-autorest/autorest v0.11.27 h1:F3R3q42aWytozkV8ihzcgMO4OA4cuqr3bNlsEuF6//A= -github.com/Azure/go-autorest/autorest v0.11.27/go.mod h1:7l8ybrIdUmGqZMTD0sRtAr8NvbHjfofbf8RSP2q7w7U= +github.com/Azure/go-autorest/autorest v0.11.28 h1:ndAExarwr5Y+GaHE6VCaY1kyS/HwwGGyuimVhWsHOEM= +github.com/Azure/go-autorest/autorest v0.11.28/go.mod h1:MrkzG3Y3AH668QyF9KRk5neJnGgmhQ6krbhR8Q5eMvA= github.com/Azure/go-autorest/autorest/adal v0.9.0/go.mod h1:/c022QCutn2P7uY+/oQWWNcK9YU+MH96NgK+jErpbcg= github.com/Azure/go-autorest/autorest/adal v0.9.4/go.mod h1:/3SMAM86bP6wC9Ev35peQDUeqFZBMH07vvUOmg4z/fE= github.com/Azure/go-autorest/autorest/adal v0.9.5/go.mod h1:B7KF7jKIeC9Mct5spmyCB/A8CG/sEz1vwIRGv/bbw7A= github.com/Azure/go-autorest/autorest/adal v0.9.13/go.mod h1:W/MM4U6nLxnIskrw4UwWzlHfGjwUS50aOsc/I3yuU8M= github.com/Azure/go-autorest/autorest/adal v0.9.14/go.mod h1:W/MM4U6nLxnIskrw4UwWzlHfGjwUS50aOsc/I3yuU8M= github.com/Azure/go-autorest/autorest/adal v0.9.17/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ= -github.com/Azure/go-autorest/autorest/adal v0.9.18 h1:kLnPsRjzZZUF3K5REu/Kc+qMQrvuza2bwSnNdhmzLfQ= github.com/Azure/go-autorest/autorest/adal v0.9.18/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ= +github.com/Azure/go-autorest/autorest/adal v0.9.20 h1:gJ3E98kMpFB1MFqQCvA1yFab8vthOeD4VlFRQULxahg= +github.com/Azure/go-autorest/autorest/adal v0.9.20/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ= github.com/Azure/go-autorest/autorest/azure/auth v0.5.2/go.mod h1:q98IH4qgc3eWM4/WOeR5+YPmBuy8Lq0jNRDwSM0CuFk= github.com/Azure/go-autorest/autorest/azure/auth v0.5.9/go.mod h1:hg3/1yw0Bq87O3KvvnJoAh34/0zbP7SFizX/qN5JvjU= github.com/Azure/go-autorest/autorest/azure/auth v0.5.11 h1:P6bYXFoao05z5uhOQzbC3Qd8JqF3jUoocoTeIxkp2cA= @@ -216,7 +217,6 @@ github.com/PaesslerAG/jsonpath v0.1.1/go.mod h1:lVboNxFGal/VwW6d9JzIy56bUsYAP6tH github.com/ProtonMail/go-crypto v0.0.0-20220407094043-a94812496cf5/go.mod h1:z4/9nQmJSSwwds7ejkxaJwO37dru3geImFUdJlaLzQo= github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= -github.com/ReneKroon/ttlcache/v2 v2.11.0 h1:OvlcYFYi941SBN3v9dsDcC2N8vRxyHcCmJb3Vl4QMoM= github.com/ReneKroon/ttlcache/v2 v2.11.0/go.mod h1:mBxvsNY+BT8qLLd6CuAJubbKo6r0jh3nb5et22bbfGY= github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d/go.mod h1:HI8ITrYtUY+O+ZhtlqUnD8+KwNPOyugEhfP9fdUIaEQ= github.com/Shopify/sarama v1.19.0/go.mod h1:FVkBWblsNy7DGZRfXLU0O9RCGt5g3g3yEuWXgklEdEo= @@ -308,26 +308,26 @@ github.com/aws/aws-sdk-go v1.42.25/go.mod h1:gyRszuZ/icHmHAVE4gc/r+cfCmhA1AD+vqf github.com/aws/aws-sdk-go-v2 v0.18.0/go.mod h1:JWVYvqSMppoMJC0x5wdwiImzgXTI9FuZwxzkQq9wy+g= github.com/aws/aws-sdk-go-v2 v1.7.1/go.mod h1:L5LuPC1ZgDr2xQS7AmIec/Jlc7O/Y1u2KxJyNVab250= github.com/aws/aws-sdk-go-v2 v1.14.0/go.mod h1:ZA3Y8V0LrlWj63MQAnRHgKf/5QB//LSZCPNWlWrNGLU= -github.com/aws/aws-sdk-go-v2 v1.16.5 h1:Ah9h1TZD9E2S1LzHpViBO3Jz9FPL5+rmflmb8hXirtI= -github.com/aws/aws-sdk-go-v2 v1.16.5/go.mod h1:Wh7MEsmEApyL5hrWzpDkba4gwAPc5/piwLVLFnCxp48= +github.com/aws/aws-sdk-go-v2 v1.16.11 h1:xM1ZPSvty3xVmdxiGr7ay/wlqv+MWhH0rMlyLdbC0YQ= +github.com/aws/aws-sdk-go-v2 v1.16.11/go.mod h1:WTACcleLz6VZTp7fak4EO5b9Q4foxbn+8PIz3PmyKlo= github.com/aws/aws-sdk-go-v2/config v1.5.0/go.mod h1:RWlPOAW3E3tbtNAqTwvSW54Of/yP3oiZXMI0xfUdjyA= -github.com/aws/aws-sdk-go-v2/config v1.15.10 h1:0HSMRNGlR0/WlGbeKC9DbBphBwRIK5H4cKUbgqNTKcA= -github.com/aws/aws-sdk-go-v2/config v1.15.10/go.mod h1:XL4DzwzWdwXBzKdwMdpLkMIaGEQCYRQyzA4UnJaUnNk= +github.com/aws/aws-sdk-go-v2/config v1.17.0 h1:e0tIuubcjp0gJQdllgEMwolWWXGK/sKAFd1tS5S6m6I= +github.com/aws/aws-sdk-go-v2/config v1.17.0/go.mod h1:4SKzBMiB8lV0fw2w7eDBo/LjQyHFITN4vUUuqpurFmI= github.com/aws/aws-sdk-go-v2/credentials v1.3.1/go.mod h1:r0n73xwsIVagq8RsxmZbGSRQFj9As3je72C2WzUIToc= -github.com/aws/aws-sdk-go-v2/credentials v1.12.5 h1:WNNCUTWA0vyMy5t8LfS4iB7QshsW0DsHS/VdhyCGZWM= -github.com/aws/aws-sdk-go-v2/credentials v1.12.5/go.mod h1:DOcdLlkqUiNGyXnjWgspC3eIAdXhj8q0pO1LiSvrTI4= +github.com/aws/aws-sdk-go-v2/credentials v1.12.13 h1:cuPzIsjKAWBUAAk8ZUR2l02Sxafl9hiaMsc7tlnjwAY= +github.com/aws/aws-sdk-go-v2/credentials v1.12.13/go.mod h1:9fDEemXizwXrxPU1MTzv69LP/9D8HVl5qHAQO9A9ikY= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.3.0/go.mod h1:2LAuqPx1I6jNfaGDucWfA2zqQCYCOMCDHiCOciALyNw= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.6 h1:+NZzDh/RpcQTpo9xMFUgkseIam6PC+YJbdhbQp1NOXI= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.6/go.mod h1:ClLMcuQA/wcHPmOIfNzNI4Y1Q0oDbmEkbYhMFOzHDh8= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.12 h1:wgJBHO58Pc1V1QAnzdVM3JK3WbE/6eUF0JxCZ+/izz0= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.12/go.mod h1:aZ4vZnyUuxedC7eD4JyEHpGnCz+O2sHQEx3VvAwklSE= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.5/go.mod h1:2hXc8ooJqF2nAznsbJQIn+7h851/bu8GVC80OVTTqf8= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.12 h1:Zt7DDk5V7SyQULUUwIKzsROtVzp/kVvcz15uQx/Tkow= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.12/go.mod h1:Afj/U8svX6sJ77Q+FPWMzabJ9QjbwP32YlopgKALUpg= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.18 h1:OmiwoVyLKEqqD5GvB683dbSqxiOfvx4U2lDZhG2Esc4= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.18/go.mod h1:348MLhzV1GSlZSMusdwQpXKbhD7X2gbI/TxwAPKkYZQ= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.3.0/go.mod h1:miRSv9l093jX/t/j+mBCaLqFHo9xKYzJ7DGm1BsGoJM= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.6 h1:eeXdGVtXEe+2Jc49+/vAzna3FAQnUD4AagAw8tzbmfc= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.6/go.mod h1:FwpAKI+FBPIELJIdmQzlLtRe8LQSOreMcM2wBsPMvvc= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.12 h1:5mvQDtNWtI6H56+E4LUnLWEmATMB7oEh+Z9RurtIuC0= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.12/go.mod h1:ckaCVTEdGAxO6KwTGzgskxR1xM+iJW4lxMyDFVda2Fc= github.com/aws/aws-sdk-go-v2/internal/ini v1.1.1/go.mod h1:Zy8smImhTdOETZqfyn01iNOe0CNggVbPjCajyaz6Gvg= -github.com/aws/aws-sdk-go-v2/internal/ini v1.3.13 h1:L/l0WbIpIadRO7i44jZh1/XeXpNDX0sokFppb4ZnXUI= -github.com/aws/aws-sdk-go-v2/internal/ini v1.3.13/go.mod h1:hiM/y1XPp3DoEPhoVEYc/CZcS58dP6RKJRDFp99wdX0= +github.com/aws/aws-sdk-go-v2/internal/ini v1.3.19 h1:g5qq9sgtEzt2szMaDqQO6fqKe026T6dHTFJp5NsPzkQ= +github.com/aws/aws-sdk-go-v2/internal/ini v1.3.19/go.mod h1:cVHo8KTuHjShb9V8/VjH3S/8+xPu16qx8fdGwmotJhE= github.com/aws/aws-sdk-go-v2/service/ecr v1.4.1/go.mod h1:FglZcyeiBqcbvyinl+n14aT/EWC7S1MIH+Gan2iizt0= github.com/aws/aws-sdk-go-v2/service/ecr v1.15.0 h1:lY2Z2sBP+zSbJ6CvvmnFgPcgknoQ0OJV88AwVetRRFk= github.com/aws/aws-sdk-go-v2/service/ecr v1.15.0/go.mod h1:4zYI85WiYDhFaU1jPFVfkD7HlBcdnITDE3QxDwy4Kus= @@ -335,19 +335,19 @@ github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.4.1/go.mod h1:eD5Eo4drVP2FLTw0 github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.12.0 h1:LsqBpyRofMG6eDs6YGud6FhdGyIyXelAasPOZ6wWLro= github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.12.0/go.mod h1:IArQ3IBR00FkuraKwudKZZU32OxJfdTdwV+W5iZh3Y4= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.2.1/go.mod h1:zceowr5Z1Nh2WVP8bf/3ikB41IZW59E4yIYbg+pC6mw= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.6 h1:0ZxYAZ1cn7Swi/US55VKciCE6RhRHIwCKIWaMLdT6pg= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.6/go.mod h1:DxAPjquoEHf3rUHh1b9+47RAaXB8/7cB6jkzCt/GOEI= -github.com/aws/aws-sdk-go-v2/service/kms v1.17.3 h1:M9bIvNNpbtvDTlZC5I38Kn2yuinJZ/9L+AM2Qom23zI= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.12 h1:7iPTTX4SAI2U2VOogD7/gmHlsgnYSgoNHt7MSQXtG2M= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.12/go.mod h1:1TODGhheLWjpQWSuhYuAUWYTCKwEjx2iblIFKDHjeTc= +github.com/aws/aws-sdk-go-v2/service/kms v1.18.4 h1:tsokBawk9+eD3RfMbJJRla/y8FinZ79Ylj5tZ3Ayxcw= github.com/aws/aws-sdk-go-v2/service/sso v1.3.1/go.mod h1:J3A3RGUvuCZjvSuZEcOpHDnzZP/sKbhDWV2T1EOzFIM= -github.com/aws/aws-sdk-go-v2/service/sso v1.11.8 h1:GNIdO14AHW5CgnzMml3Tg5Fy/+NqPQvnh1HsC1zpcPo= -github.com/aws/aws-sdk-go-v2/service/sso v1.11.8/go.mod h1:UqRD9bBt15P0ofRyDZX6CfsIqPpzeHOhZKWzgSuAzpo= +github.com/aws/aws-sdk-go-v2/service/sso v1.11.16 h1:YK8L7TNlGwMWHYqLs+i6dlITpxqzq08FqQUy26nm+T8= +github.com/aws/aws-sdk-go-v2/service/sso v1.11.16/go.mod h1:mS5xqLZc/6kc06IpXn5vRxdLaED+jEuaSRv5BxtnsiY= github.com/aws/aws-sdk-go-v2/service/sts v1.6.0/go.mod h1:q7o0j7d7HrJk/vr9uUt3BVRASvcU7gYZB9PUgPiByXg= -github.com/aws/aws-sdk-go-v2/service/sts v1.16.7 h1:HLzjwQM9975FQWSF3uENDGHT1gFQm/q3QXu2BYIcI08= -github.com/aws/aws-sdk-go-v2/service/sts v1.16.7/go.mod h1:lVxTdiiSHY3jb1aeg+BBFtDzZGSUCv6qaNOyEGCJ1AY= +github.com/aws/aws-sdk-go-v2/service/sts v1.16.13 h1:dl8T0PJlN92rvEGOEUiD0+YPYdPEaCZK0TqHukvSfII= +github.com/aws/aws-sdk-go-v2/service/sts v1.16.13/go.mod h1:Ru3QVMLygVs/07UQ3YDur1AQZZp2tUNje8wfloFttC0= github.com/aws/smithy-go v1.6.0/go.mod h1:SObp3lf9smib00L/v3U2eAKG8FyQ7iLrJnQiAmR5n+E= github.com/aws/smithy-go v1.11.0/go.mod h1:3xHYmszWVx2c0kIwQeEVf9uSm4fYZt67FBJnwub1bgM= -github.com/aws/smithy-go v1.11.3 h1:DQixirEFM9IaKxX1olZ3ke3nvxRS2xMDteKIDWxozW8= -github.com/aws/smithy-go v1.11.3/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= +github.com/aws/smithy-go v1.12.1 h1:yQRC55aXN/y1W10HgwHle01DRuV9Dpf31iGkotjt3Ag= +github.com/aws/smithy-go v1.12.1/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20220517224237-e6f29200ae04 h1:p2I85zYI9z5/c/3Q0LiO3RtNXcmXHTtJfml/hV16zNg= github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20220517224237-e6f29200ae04/go.mod h1:Z+bXnIbhKJYSvxNwsNnwde7pDKxuqlEZCbUBoTwAqf0= github.com/aybabtme/rgbterm v0.0.0-20170906152045-cc83f3b3ce59/go.mod h1:q/89r3U2H7sSsE2t6Kca0lfwTK8JdoNGS/yzM/4iH5I= @@ -713,7 +713,6 @@ github.com/getkin/kin-openapi v0.76.0/go.mod h1:660oXbgy5JFMKreazJaQTw7o+X00qeSy github.com/getsentry/raven-go v0.2.0 h1:no+xWJRb5ZI7eE8TWgIq1jLulQiIoLG0IfYxv5JYMGs= github.com/getsentry/raven-go v0.2.0/go.mod h1:KungGk8q33+aIAZUIVWZDr2OfAEBsO49PX4NzFV5kcQ= github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= -github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/gliderlabs/ssh v0.2.2/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0= github.com/go-asn1-ber/asn1-ber v1.3.1/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0= @@ -777,13 +776,14 @@ github.com/go-openapi/strfmt v0.21.3/go.mod h1:k+RzNO0Da+k3FrrynSNN8F7n/peCmQQqb github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= github.com/go-openapi/swag v0.19.15/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= -github.com/go-openapi/swag v0.21.1 h1:wm0rhTb5z7qpJRHBdPOMuY4QjVUMbF6/kwoYeRAOrKU= github.com/go-openapi/swag v0.21.1/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= +github.com/go-openapi/swag v0.22.1 h1:S6xFhsBKAtvfphnJwRzeCh3OEGsTL/crXdEetSxLs0Q= +github.com/go-openapi/swag v0.22.1/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= github.com/go-openapi/validate v0.21.0/go.mod h1:rjnrwK57VJ7A8xqfpAOEKRH8yQSGUriMu5/zuPSQ1hg= github.com/go-openapi/validate v0.22.0 h1:b0QecH6VslW/TxtpKgzpO1SNG7GU2FsaqKdP1E2T50Y= github.com/go-openapi/validate v0.22.0/go.mod h1:rjnrwK57VJ7A8xqfpAOEKRH8yQSGUriMu5/zuPSQ1hg= -github.com/go-piv/piv-go v1.9.0 h1:P6j2gjfP7zO7T3nCk/jwCgsvFRwB8shEqAJ4q85jgXc= -github.com/go-piv/piv-go v1.9.0/go.mod h1:NZ2zmjVkfFaL/CF8cVQ/pXdXtuj110zEKGdJM6fJZZM= +github.com/go-piv/piv-go v1.10.0 h1:P1Y1VjBI5DnXW0+YkKmTuh5opWnMIrKriUaIOblee9Q= +github.com/go-piv/piv-go v1.10.0/go.mod h1:NZ2zmjVkfFaL/CF8cVQ/pXdXtuj110zEKGdJM6fJZZM= github.com/go-playground/assert/v2 v2.0.1 h1:MsBgLAaY856+nPRTKrp3/OZK38U/wa0CcBYNjji3q3A= github.com/go-playground/assert/v2 v2.0.1/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4= github.com/go-playground/locales v0.14.0 h1:u50s323jtVGugKlcYeyzC0etD1HifMjqmJqb8WugfUU= @@ -797,7 +797,7 @@ github.com/go-redis/redis v6.15.9+incompatible/go.mod h1:NAIEuMOZ/fxfXJIrKDQDz8w github.com/go-restruct/restruct v1.2.0-alpha h1:2Lp474S/9660+SJjpVxoKuWX09JsXHSrdV7Nv3/gkvc= github.com/go-restruct/restruct v1.2.0-alpha/go.mod h1:KqrpKpn4M8OLznErihXTGLlsXFGeLxHUrLRRI/1YjGk= github.com/go-rod/rod v0.101.8/go.mod h1:N/zlT53CfSpq74nb6rOR0K8UF0SPUPBmzBnArrms+mY= -github.com/go-rod/rod v0.107.1 h1:wRxTTAXJ0JUnoSGcyGAOubpdrToWIKPCnLu3av8EDFY= +github.com/go-rod/rod v0.109.1 h1:658X/G9xyQKjFUNo5apMsIyHpEb/KJnJ5LkAl6a62AI= github.com/go-sql-driver/mysql v1.4.0/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w= github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w= github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= @@ -868,8 +868,8 @@ github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keL github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I= github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= -github.com/golang-jwt/jwt/v4 v4.3.0 h1:kHL1vqdqWNfATmA0FNMdmZNMyZI1U6O31X4rlIPoBog= -github.com/golang-jwt/jwt/v4 v4.3.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= +github.com/golang-jwt/jwt/v4 v4.4.2 h1:rcc4lwaZgFMCZ5jxF9ABolDcIHdBytAFgqFPbSJQAYs= +github.com/golang-jwt/jwt/v4 v4.4.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/glog v1.0.0 h1:nfP3RFugxnNRyKgeWd4oI1nYvXpxrx8ck8ZrcizshdQ= github.com/golang/glog v1.0.0/go.mod h1:EWib/APOK0SL3dFbYqvxE3UYd8E6s1ouQ7iEp/0LWV4= @@ -1125,7 +1125,7 @@ github.com/hashicorp/go-secure-stdlib/mlock v0.1.2 h1:p4AKXPPS24tO8Wc8i1gLvSKdmk github.com/hashicorp/go-secure-stdlib/mlock v0.1.2/go.mod h1:zq93CJChV6L9QTfGKtfBxKqD7BqqXx5O04A/ns2p5+I= github.com/hashicorp/go-secure-stdlib/parseutil v0.1.1/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8= github.com/hashicorp/go-secure-stdlib/parseutil v0.1.2/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8= -github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6 h1:om4Al8Oy7kCm/B86rLCLah4Dt5Aa0Fr5rYBG60OzwHQ= +github.com/hashicorp/go-secure-stdlib/parseutil v0.1.7 h1:UpiO20jno/eV1eVZcxqWnUohyKRe1g8FPV/xH1s/2qs= github.com/hashicorp/go-secure-stdlib/password v0.1.1/go.mod h1:9hH302QllNwu1o2TGYtSk8I8kTAN0ca1EHpwhm5Mmzo= github.com/hashicorp/go-secure-stdlib/strutil v0.1.1/go.mod h1:gKOamz3EwoIoJq7mlMIRBpVTAUn8qPCrEclOKKWhD3U= github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 h1:kes8mmyCpxJsI7FTwtzRqEy9CdjCtrXrXGuOpxEA7Ts= @@ -1165,8 +1165,8 @@ github.com/hashicorp/vault/api v1.7.2 h1:kawHE7s/4xwrdKbkmwQi0wYaIeUhk5ueek7ljue github.com/hashicorp/vault/sdk v0.3.0/go.mod h1:aZ3fNuL5VNydQk8GcLJ2TV8YCRVvyaakYkhZRoVuhj0= github.com/hashicorp/vault/sdk v0.5.3 h1:PWY8sq/9pRrK9vUIy75qCH2Jd8oeENAgkaa/qbhzFrs= github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM= -github.com/hashicorp/yamux v0.0.0-20211028200310-0bc27b27de87 h1:xixZ2bWeofWV68J+x6AzmKuVM/JWCQwkWm6GW/MUR6I= github.com/hashicorp/yamux v0.0.0-20211028200310-0bc27b27de87/go.mod h1:CtWFDAQgb7dxtzFs4tWbplKIe2jSi3+5vKbgIO0SLnQ= +github.com/hashicorp/yamux v0.1.0 h1:DzDIF6Sd7GD2sX0kDFpHAsJMY4L+OfTvtuaQsOYXxzk= github.com/honeycombio/beeline-go v1.1.1 h1:sU8r4ae34uEL3/CguSl8Mr+Asz9DL1nfH9Wwk85Pc7U= github.com/honeycombio/libhoney-go v1.15.2 h1:5NGcjOxZZma13dmzNcl3OtGbF1hECA0XHJNHEb2t2ck= github.com/howeyc/gopass v0.0.0-20190910152052-7cb4b85ec19c/go.mod h1:lADxMC39cJJqL93Duh1xhAs4I2Zs8mKS89XWXFGp9cs= @@ -1200,13 +1200,19 @@ github.com/jarcoal/httpmock v1.0.5/go.mod h1:ATjnClrvW/3tijVmpL/va5Z3aAyGvqU3gCT github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo= github.com/jedisct1/go-minisign v0.0.0-20211028175153-1c139d1cc84b h1:ZGiXF8sz7PDk6RgkP+A/SFfUD0ZR/AgG6SpRNEDKZy8= github.com/jedisct1/go-minisign v0.0.0-20211028175153-1c139d1cc84b/go.mod h1:hQmNrgofl+IY/8L+n20H6E6PWBBTokdsv+q49j0QhsU= +github.com/jellydator/ttlcache/v2 v2.11.1 h1:AZGME43Eh2Vv3giG6GeqeLeFXxwxn1/qHItqWZl6U64= github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= github.com/jgautheron/goconst v1.5.1/go.mod h1:aAosetZ5zaeC/2EfMeRswtxUFBpe2Hr7HzkgX4fanO4= +github.com/jhump/gopoet v0.0.0-20190322174617-17282ff210b3/go.mod h1:me9yfT6IJSlOL3FCfrg+L6yzUEZ+5jW6WHt4Sk+UPUI= +github.com/jhump/gopoet v0.1.0/go.mod h1:me9yfT6IJSlOL3FCfrg+L6yzUEZ+5jW6WHt4Sk+UPUI= +github.com/jhump/goprotoc v0.5.0/go.mod h1:VrbvcYrQOrTi3i0Vf+m+oqQWk9l72mjkJCYo7UvLHRQ= github.com/jhump/protoreflect v1.6.0/go.mod h1:eaTn3RZAmMBcV0fifFvlm6VHNz3wSkYyXYWUh7ymB74= github.com/jhump/protoreflect v1.6.1/go.mod h1:RZQ/lnuN+zqeRVpQigTwO6o0AJUkxbnSnpuG7toUTG4= github.com/jhump/protoreflect v1.8.2/go.mod h1:7GcYQDdMU/O/BBrl/cX6PNHpXh6cenjd8pneu5yW7Tg= -github.com/jhump/protoreflect v1.10.3 h1:8ogeubpKh2TiulA0apmGlW5YAH4U1Vi4TINIP+gpNfQ= github.com/jhump/protoreflect v1.10.3/go.mod h1:7GcYQDdMU/O/BBrl/cX6PNHpXh6cenjd8pneu5yW7Tg= +github.com/jhump/protoreflect v1.11.0/go.mod h1:U7aMIjN0NWq9swDP7xDdoMfRHb35uiuTd3Z9nFXJf5E= +github.com/jhump/protoreflect v1.12.0 h1:1NQ4FpWMgn3by/n1X0fbeKEUxP1wBt7+Oitpv01HR10= +github.com/jhump/protoreflect v1.12.0/go.mod h1:JytZfP5d0r8pVNLZvai7U/MCuTWITgrI4tTg7puQFKI= github.com/jingyugao/rowserrcheck v1.1.1/go.mod h1:4yvlZSDb3IyDTUZJUmpZfm2Hwok+Dtp+nu2qOq+er9c= github.com/jinzhu/copier v0.3.2 h1:QdBOCbaouLDYaIPFfi1bKv5F5tPpeTwXe4sD0jqtz5w= github.com/jinzhu/copier v0.3.2/go.mod h1:24xnZezI2Yqac9J61UC6/dG/k76ttpq0DdJI3QmUvro= @@ -1298,8 +1304,8 @@ github.com/ldez/gomoddirectives v0.2.2/go.mod h1:cpgBogWITnCfRq2qGoDkKMEVSaarhdB github.com/ldez/tagliatelle v0.2.0/go.mod h1:8s6WJQwEYHbKZDsp/LjArytKOG8qaMrKQQ3mFukHs88= github.com/leodido/go-urn v1.2.1 h1:BqpAaACuzVSgi/VLzGZIobT2z4v53pjosyNd9Yv6n/w= github.com/leodido/go-urn v1.2.1/go.mod h1:zt4jvISO2HfUBqxjfIshjdMTYS56ZS/qv49ictyFfxY= -github.com/letsencrypt/boulder v0.0.0-20220331220046-b23ab962616e h1:1aV3EJ4ZMsc63MFU4rB+ccSEhZvvVD71T9RA4Rqd3hI= -github.com/letsencrypt/boulder v0.0.0-20220331220046-b23ab962616e/go.mod h1:Bl3mfF2LHYepsU2XfzMceIglyByfPe1IFAXtO+p37Qk= +github.com/letsencrypt/boulder v0.0.0-20220723181115-27de4befb95e h1:2ba+yBBeT8ZFyZjRLPDKvkqVrWX4CCYAuR6nuJGojD0= +github.com/letsencrypt/boulder v0.0.0-20220723181115-27de4befb95e/go.mod h1:54WQpg5QI0mpRhxoj9bxysLqA5WJylVsLtXOrb3zAiU= github.com/letsencrypt/pkcs11key/v4 v4.0.0/go.mod h1:EFUvBDay26dErnNb70Nd0/VW3tJiIbETBPTl9ATXQag= github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= github.com/lib/pq v1.1.1/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= @@ -1729,15 +1735,15 @@ github.com/shurcooL/go v0.0.0-20200502201357-93f07166e636/go.mod h1:TDJrrUr11Vxr github.com/shurcooL/go-goon v0.0.0-20170922171312-37c2f522c041/go.mod h1:N5mDOmsrJOB+vfqUK+7DmDyjhSLIIBnXo9lvZJj3MWQ= github.com/shurcooL/httpfs v0.0.0-20190707220628-8d4bc4ba7749/go.mod h1:ZY1cvUeJuFPAdZ/B6v7RHavJWZn2YPVFQ1OSXhCGOkg= github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= -github.com/sigstore/cosign v1.10.1 h1:mFRTtJmZtC55tbBE4SHUfqBXux/jN01Wysk7/duyYPA= -github.com/sigstore/cosign v1.10.1/go.mod h1:7ltQF49sIWp0p0UvXhFtHDQUa4PPw6W53TYlIRlayRA= +github.com/sigstore/cosign v1.11.0 h1:jw0nXSEdcM+6OPSaP5oGCHITM+Brh/rjRerrMrH93e0= +github.com/sigstore/cosign v1.11.0/go.mod h1:YaoVdaXyZCnCRJeAmsIq5LVD0Cu7saupPp2Ub9dZ5i4= github.com/sigstore/fulcio v0.1.2-0.20220114150912-86a2036f9bc7 h1:XE7A9lJ+wYhmUFBWYTaw3Ph943zHB4iBYd5R0SX0ZOA= github.com/sigstore/fulcio v0.1.2-0.20220114150912-86a2036f9bc7/go.mod h1:ANQivY/lfOp9hN92S813LEthkm/kit96hzeIF3SNoZA= -github.com/sigstore/rekor v0.9.1 h1:xk+Sg6xWLYctIqlIxZP+sxZl9sfEl0OIbPgxo527Gxg= -github.com/sigstore/rekor v0.9.1/go.mod h1:7YBvw8sKQpTUD8jwahpAgex3zF+q2+RAEsgnWXb3O4I= +github.com/sigstore/rekor v0.10.0 h1:lhqu403gtsfqf7yOBUm6G5KkI17g4s55jnDOHceYEEM= +github.com/sigstore/rekor v0.10.0/go.mod h1:optBScc+ylAO6nTRyH3kY5me1ClbQufeLiglesAEiwg= github.com/sigstore/sigstore v1.1.0/go.mod h1:gDpcHw4VwpoL5C6N1Ud1YtBsc+ikRDwDelDlWRyYoE8= -github.com/sigstore/sigstore v1.2.1-0.20220614141825-9c0e2e247545 h1:S6ZnBcLFZNdB6mw8QnjLgtGU1myK+X0UPpRwJ71/Z/o= -github.com/sigstore/sigstore v1.2.1-0.20220614141825-9c0e2e247545/go.mod h1:xr0T+0gIaZyrmWtC99G8llLi1izy70nZpgVp+C1jb5k= +github.com/sigstore/sigstore v1.4.0 h1:5A3eUhbSQkhiqJNUPi/2UMKdTyb3NKfWcVjaTBkkaJk= +github.com/sigstore/sigstore v1.4.0/go.mod h1:z3kt1jm2A39M+g7emkQ8jdErL/haCMEjkNxvqTf41/k= github.com/sirupsen/logrus v1.0.4-0.20170822132746-89742aefa4b2/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc= github.com/sirupsen/logrus v1.0.6/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc= github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= @@ -1943,8 +1949,8 @@ github.com/willf/bitset v1.1.11/go.mod h1:83CECat5yLh5zVOf4P1ErAgKA5UDvKtgyUABdr github.com/x-cray/logrus-prefixed-formatter v0.5.2 h1:00txxvfBM9muc0jiLIEAkAcIMJzfthRT6usrui8uGmg= github.com/x-cray/logrus-prefixed-formatter v0.5.2/go.mod h1:2duySbKsL6M18s5GU7VPsoEPHyzalCE06qoARUCeBBE= github.com/xanzy/go-gitlab v0.31.0/go.mod h1:sPLojNBn68fMUWSxIJtdVVIP8uSBYqesTfDUseX11Ug= -github.com/xanzy/go-gitlab v0.70.0 h1:zJ8WukB5psMcfmQctHsiG/PyqLqLIdD05wCLwdPNEBg= -github.com/xanzy/go-gitlab v0.70.0/go.mod h1:o4yExCtdaqlM8YGdDJWuZoBmfxBsmA9TPEjs9mx1UO4= +github.com/xanzy/go-gitlab v0.72.0 h1:/9BQTftUE7GRK/RO1eeWxG1cOE+tjwBrvRdpkeSOq6w= +github.com/xanzy/go-gitlab v0.72.0/go.mod h1:d/a0vswScO7Agg1CZNz15Ic6SSvBG9vfw8egL99t4kA= github.com/xanzy/ssh-agent v0.2.1/go.mod h1:mLlQY/MoOhWBj+gOGMQkOeiEvkx+8pJSI+0Bx9h2kr4= github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI= github.com/xdg-go/scram v1.0.2/go.mod h1:1WAq6h33pAW+iRreB34OORO2Nf7qel3VV3fjBj+hCSs= @@ -1973,9 +1979,9 @@ github.com/ysmood/goob v0.4.0 h1:HsxXhyLBeGzWXnqVKtmT9qM7EuVs/XOgkX7T6r1o1AQ= github.com/ysmood/got v0.15.1/go.mod h1:pE1l4LOwOBhQg6A/8IAatkGp7uZjnalzrZolnlhhMgY= github.com/ysmood/gotrace v0.2.2/go.mod h1:TzhIG7nHDry5//eYZDYcTzuJLYQIkykJzCRIo4/dzQM= github.com/ysmood/gson v0.6.4/go.mod h1:3Kzs5zDl21g5F/BlLTNcuAGAYLKt2lV5G8D1zF3RNmg= -github.com/ysmood/gson v0.7.1 h1:zKL2MTGtynxdBdlZjyGsvEOZ7dkxaY5TH6QhAbTgz0Q= -github.com/ysmood/leakless v0.7.0 h1:XCGdaPExyoreoQd+H5qgxM3ReNbSPFsEXpSKwbXbwQw= +github.com/ysmood/gson v0.7.2 h1:1iWUvpi5DPvd2j59W7ifRPR9DiAZ3Ga+fmMl1mJrRbM= github.com/ysmood/leakless v0.7.0/go.mod h1:R8iAXPRaG97QJwqxs74RdwzcRHT1SWCGTNqY8q0JvMQ= +github.com/ysmood/leakless v0.8.0 h1:BzLrVoiwxikpgEQR0Lk8NyBN5Cit2b1z+u0mgL4ZJak= github.com/yudai/gojsondiff v1.0.0/go.mod h1:AY32+k2cwILAkW1fbgxQ5mUmMiZFgLIV+FBNExI05xg= github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82/go.mod h1:lgjkn3NuSvDfVJdfcVVdX+jpBxNmX4rDAzaS45IcYoM= github.com/yudai/pp v2.0.1+incompatible/go.mod h1:PuxR/8QJ7cyCkFp/aUDS+JY727OFEZkTdatxwunjIkc= @@ -2107,8 +2113,9 @@ go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ= go.uber.org/atomic v1.6.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ= go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= -go.uber.org/atomic v1.9.0 h1:ECmE8Bn/WFTYwEW/bpKD3M8VtR/zQVbavAoalC1PYyE= go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= +go.uber.org/atomic v1.10.0 h1:9qC72Qh0+3MqyJbAn8YU5xVq1frD8bn3JtD2oXtafVQ= +go.uber.org/atomic v1.10.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0= go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A= go.uber.org/goleak v1.1.11/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ= go.uber.org/goleak v1.1.12 h1:gZAh5/EyT/HQwlpkCy6wTpqfH9H8Lz8zbm3dZh+OyzA= @@ -2171,8 +2178,9 @@ golang.org/x/crypto v0.0.0-20211202192323-5770296d904e/go.mod h1:IxCIyHEi3zRg3s0 golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220131195533-30dcbda58838/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d h1:sK3txAijHtOK88l68nt020reeT1ZdKLIYetKl95FzVY= golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa h1:zuSxTR4o9y82ebqCUJYNGJbGPo6sKVl54f/TVDObg1c= +golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -2297,8 +2305,8 @@ golang.org/x/net v0.0.0-20220421235706-1d1ef9303861/go.mod h1:CfG3xpIq0wQ8r1q4Su golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= -golang.org/x/net v0.0.0-20220708220712-1185a9018129 h1:vucSRfWwTsoXro7P+3Cjlr6flUMtzCwzlvkxEQtHHB0= -golang.org/x/net v0.0.0-20220708220712-1185a9018129/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.0.0-20220805013720-a33c5aa5df48 h1:N9Vc/rorQUDes6B9CNdIxAn5jODGj2wzfrei2x4wNj4= +golang.org/x/net v0.0.0-20220805013720-a33c5aa5df48/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20181106182150-f42d05182288/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -2326,8 +2334,8 @@ golang.org/x/oauth2 v0.0.0-20220309155454-6242fa91716a/go.mod h1:DAh4E804XQdzx2j golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc= golang.org/x/oauth2 v0.0.0-20220608161450-d0670ef3b1eb/go.mod h1:jaDAt6Dkxork7LmZnYtzbRWj0W47D86a3TGe0YHBvmE= golang.org/x/oauth2 v0.0.0-20220622183110-fd043fe589d2/go.mod h1:jaDAt6Dkxork7LmZnYtzbRWj0W47D86a3TGe0YHBvmE= -golang.org/x/oauth2 v0.0.0-20220718184931-c8730f7fcb92 h1:oVlhw3Oe+1reYsE2Nqu19PDJfLzwdU3QUUrG86rLK68= -golang.org/x/oauth2 v0.0.0-20220718184931-c8730f7fcb92/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg= +golang.org/x/oauth2 v0.0.0-20220722155238-128564f6959c h1:q3gFqPqH7NVofKo3c3yETAP//pPI+G5mvB7qqj1Y5kY= +golang.org/x/oauth2 v0.0.0-20220722155238-128564f6959c/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -2341,8 +2349,9 @@ golang.org/x/sync v0.0.0-20200930132711-30421366ff76/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f h1:Ax0t5p6N38Ga0dThY21weqDEyz2oklo4IvDkpigvkD8= golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4 h1:uVc8UZUe6tr40fFVnUP5Oj+veunVezqYl9z7DYw9xzw= +golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -2488,13 +2497,15 @@ golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220624220833-87e55d714810/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 h1:0A+M6Uqn+Eje4kHMK80dtF3JCXC4ykBgQG4Fe06QRhQ= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10 h1:WIoqL4EROvwiPdUtaip4VcDdpZ4kha7wBWZrbVKCIZg= +golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 h1:JGgROgKl9N8DuW20oFS5gxc+lE67/N3FcwmBPMe7ArY= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.0.0-20220526004731-065cf7ba2467 h1:CBpWXWQpIRjzmkkA+M7q9Fqnwd2mZr3AFqexg8YTfoM= +golang.org/x/term v0.0.0-20220526004731-065cf7ba2467/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -2514,8 +2525,9 @@ golang.org/x/time v0.0.0-20200630173020-3af7569d3a1e/go.mod h1:tRJNPiyCQ0inRvYxb golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20211116232009-f0f3c7e86c11/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.0.0-20220411224347-583f2d630306 h1:+gHMid33q6pen7kv9xvT+JRinntgeXO2AeZVd0AWD3w= golang.org/x/time v0.0.0-20220411224347-583f2d630306/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20220722155302-e5dcc9cfc0b9 h1:ftMN5LMiBFjbzleLqtoBZk7KdJwhuybIU+FckUHgoyQ= +golang.org/x/time v0.0.0-20220722155302-e5dcc9cfc0b9/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180525024113-a5b4c53f6e8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180828015842-6cd1fcedba52/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -2699,8 +2711,8 @@ google.golang.org/api v0.77.0/go.mod h1:pU9QmyHLnzlpar1Mjt4IbapUCy8J+6HD6GeELN69 google.golang.org/api v0.78.0/go.mod h1:1Sg78yoMLOhlQTeF+ARBoytAcH1NNyyl390YMy6rKmw= google.golang.org/api v0.80.0/go.mod h1:xY3nI94gbvBrE0J6NHXhxOmW97HG7Khjkku6AFB3Hyg= google.golang.org/api v0.84.0/go.mod h1:NTsGnUFJMYROtiquksZHBWtHfeMC7iYthki7Eq3pa8o= -google.golang.org/api v0.91.0 h1:731+JzuwaJoZXRQGmPoBiV+SrsAfUaIkdMCWTcQNPyA= -google.golang.org/api v0.91.0/go.mod h1:+Sem1dnrKlrXMR/X0bPnMWyluQe4RsNoYfmNLhOIkzw= +google.golang.org/api v0.92.0 h1:8JHk7q/+rJla+iRsWj9FQ9/wjv2M1SKtpKSdmLhxPT0= +google.golang.org/api v0.92.0/go.mod h1:+Sem1dnrKlrXMR/X0bPnMWyluQe4RsNoYfmNLhOIkzw= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.2.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.3.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= @@ -2828,8 +2840,9 @@ google.golang.org/genproto v0.0.0-20220518221133-4f43b3371335/go.mod h1:RAyBrSAP google.golang.org/genproto v0.0.0-20220523171625-347a074981d8/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4= google.golang.org/genproto v0.0.0-20220608133413-ed9918b62aac/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= google.golang.org/genproto v0.0.0-20220616135557-88e70c0c3a90/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= -google.golang.org/genproto v0.0.0-20220624142145-8cd45d7dbd1f h1:hJ/Y5SqPXbarffmAsApliUlcvMU+wScNGfyop4bZm8o= google.golang.org/genproto v0.0.0-20220624142145-8cd45d7dbd1f/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= +google.golang.org/genproto v0.0.0-20220720214146-176da50484ac h1:EOa+Yrhx1C0O+4pHeXeWrCwdI0tWI6IfUU56Vebs9wQ= +google.golang.org/genproto v0.0.0-20220720214146-176da50484ac/go.mod h1:GkXuJDJ6aQ7lnJcRF+SJVgFdQhypqgl3LB1C9vabdRE= google.golang.org/grpc v0.0.0-20160317175043-d3ddb4469d5a/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= google.golang.org/grpc v1.8.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs= @@ -3061,8 +3074,8 @@ sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.15/go.mod h1:LEScyz sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6/go.mod h1:p4QtZmO4uMYipTQNzagwnNoseA6OxSUutVw05NhYDRs= sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 h1:kDi4JBNAsJWfz1aEXhO8Jg87JJaPNLh5tIzYHgStQ9Y= sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2/go.mod h1:B+TnT182UBxE84DiCz4CVE26eOSDAeYCpfDnC2kdKMY= -sigs.k8s.io/release-utils v0.7.1 h1:dQuGqQi7XGW4PSLJ6JRlN2JUDkeXSepDL1nTdl9QTPY= -sigs.k8s.io/release-utils v0.7.1/go.mod h1:SK+/kkc2i7ZO0CFXDCvXpzIZyt13cPlscaApaZD7VmU= +sigs.k8s.io/release-utils v0.7.3 h1:6pS8x6c5RmdUgR9qcg1LO6hjUzuE4Yo9TGZ3DemrZdM= +sigs.k8s.io/release-utils v0.7.3/go.mod h1:n0mVez/1PZYZaZUTJmxewxH3RJ/Lf7JUDh7TG1CASOE= sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= sigs.k8s.io/structured-merge-diff/v4 v4.0.3/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= sigs.k8s.io/structured-merge-diff/v4 v4.2.1 h1:bKCqE9GvQ5tiVHn5rfn1r+yao3aLQEaLzkkmAkf+A6Y= diff --git a/internal/anchore/import.go b/internal/anchore/import.go index 0757cd1126c..4225c96c8a3 100644 --- a/internal/anchore/import.go +++ b/internal/anchore/import.go @@ -45,7 +45,7 @@ func importProgress(source string) (*progress.Stage, *progress.Manual) { return stage, prog } -// nolint:funlen +//nolint:funlen func (c *Client) Import(ctx context.Context, cfg ImportConfig) error { stage, prog := importProgress(c.config.BaseURL) diff --git a/internal/anchore/import_config.go b/internal/anchore/import_config.go index 56e4c310ff5..feedc0aa3c4 100644 --- a/internal/anchore/import_config.go +++ b/internal/anchore/import_config.go @@ -1,4 +1,4 @@ -// nolint:dupl +//nolint:dupl package anchore import ( diff --git a/internal/anchore/import_manifest.go b/internal/anchore/import_manifest.go index 3dd1a233ec1..f1fb7d905cf 100644 --- a/internal/anchore/import_manifest.go +++ b/internal/anchore/import_manifest.go @@ -1,4 +1,4 @@ -// nolint: dupl +//nolint:dupl package anchore import ( diff --git a/internal/config/registry.go b/internal/config/registry.go index 7d9a76d8179..6ae85d3e770 100644 --- a/internal/config/registry.go +++ b/internal/config/registry.go @@ -30,7 +30,7 @@ func (cfg registry) loadDefaultValues(v *viper.Viper) { v.SetDefault("registry.auth", []RegistryCredentials{}) } -// nolint:unparam +//nolint:unparam func (cfg *registry) parseConfigValues() error { // there may be additional credentials provided by env var that should be appended to the set of credentials authority, username, password, token := diff --git a/internal/file/zip_read_closer.go b/internal/file/zip_read_closer.go index 11c2783f3ea..cba80b8517d 100644 --- a/internal/file/zip_read_closer.go +++ b/internal/file/zip_read_closer.go @@ -95,7 +95,8 @@ type directoryEnd struct { } // note: this is derived from readDirectoryEnd within the archive/zip package -// nolint:gocognit +// +//nolint:gocognit func findArchiveStartOffset(r io.ReaderAt, size int64) (startOfArchive uint64, err error) { // look for directoryEndSignature in the last 1k, then in the last 65k var buf []byte diff --git a/internal/formats/common/property_encoder.go b/internal/formats/common/property_encoder.go index 39aa2a8f6aa..271a22afa80 100644 --- a/internal/formats/common/property_encoder.go +++ b/internal/formats/common/property_encoder.go @@ -190,7 +190,7 @@ func DecodeInto(obj interface{}, values map[string]string, prefix string, fn Fie decode(values, value, prefix, fn) } -// nolint: funlen, gocognit, gocyclo +//nolint:funlen,gocognit,gocyclo func decode(vals map[string]string, value reflect.Value, prefix string, fn FieldName) bool { if !value.IsValid() || value.Type() == nil { return false diff --git a/internal/formats/spdx22tagvalue/to_format_model.go b/internal/formats/spdx22tagvalue/to_format_model.go index c678354210b..41296665ee2 100644 --- a/internal/formats/spdx22tagvalue/to_format_model.go +++ b/internal/formats/spdx22tagvalue/to_format_model.go @@ -14,7 +14,8 @@ import ( ) // toFormatModel creates and populates a new JSON document struct that follows the SPDX 2.2 spec from the given cataloging results. -// nolint:funlen +// +//nolint:funlen func toFormatModel(s sbom.SBOM) *spdx.Document2_2 { name, namespace := spdxhelpers.DocumentNameAndNamespace(s.Source) @@ -87,7 +88,8 @@ func toFormatModel(s sbom.SBOM) *spdx.Document2_2 { } // packages populates all Package Information from the package Catalog (see https://spdx.github.io/spdx-spec/3-package-information/) -// nolint: funlen +// +//nolint:funlen func toFormatPackages(catalog *pkg.Catalog) map[spdx.ElementID]*spdx.Package2_2 { results := make(map[spdx.ElementID]*spdx.Package2_2) diff --git a/internal/formats/syftjson/model/package.go b/internal/formats/syftjson/model/package.go index f3258afdf3b..6a67bd949a9 100644 --- a/internal/formats/syftjson/model/package.go +++ b/internal/formats/syftjson/model/package.go @@ -72,7 +72,7 @@ func (p *Package) UnmarshalJSON(b []byte) error { return err } -// nolint:funlen,gocognit,gocyclo +//nolint:funlen,gocognit,gocyclo func unpackMetadata(p *Package, unpacker packageMetadataUnpacker) error { p.MetadataType = unpacker.MetadataType switch p.MetadataType { diff --git a/syft/event/event.go b/syft/event/event.go index 8adcdd29790..e42cfae7dad 100644 --- a/syft/event/event.go +++ b/syft/event/event.go @@ -13,7 +13,7 @@ const ( // PackageCatalogerStarted is a partybus event that occurs when the package cataloging has begun PackageCatalogerStarted partybus.EventType = "syft-package-cataloger-started-event" - // nolint:gosec + //nolint:gosec // SecretsCatalogerStarted is a partybus event that occurs when the secrets cataloging has begun SecretsCatalogerStarted partybus.EventType = "syft-secrets-cataloger-started-event" diff --git a/syft/lib.go b/syft/lib.go index a2438415093..d0a1fdf4d6d 100644 --- a/syft/lib.go +++ b/syft/lib.go @@ -3,9 +3,9 @@ Package syft is a "one-stop-shop" for helper utilities for all major functionali Here is what the main execution path for syft does: - 1. Parse a user image string to get a stereoscope image.Source object - 2. Invoke all catalogers to catalog the image, adding discovered packages to a single catalog object - 3. Invoke one or more encoders to output contents of the catalog + 1. Parse a user image string to get a stereoscope image.Source object + 2. Invoke all catalogers to catalog the image, adding discovered packages to a single catalog object + 3. Invoke one or more encoders to output contents of the catalog A Source object encapsulates the image object to be cataloged and the user options (catalog all layers vs. squashed layer), providing a way to inspect paths and file content within the image. The Source object, not the image object, is used diff --git a/syft/pkg/cataloger/alpm/parse_alpm_db.go b/syft/pkg/cataloger/alpm/parse_alpm_db.go index e74505ffc95..5125cc1d5f6 100644 --- a/syft/pkg/cataloger/alpm/parse_alpm_db.go +++ b/syft/pkg/cataloger/alpm/parse_alpm_db.go @@ -75,7 +75,7 @@ func getFileReader(path string, resolver source.FileResolver) (io.Reader, error) return dbContentReader, nil } -// nolint:funlen +//nolint:funlen func parseDatabase(b *bufio.Scanner) (*pkg.AlpmMetadata, error) { var entry pkg.AlpmMetadata var err error diff --git a/syft/pkg/cataloger/apkdb/parse_apk_db.go b/syft/pkg/cataloger/apkdb/parse_apk_db.go index 26d359b7037..34038f2ab65 100644 --- a/syft/pkg/cataloger/apkdb/parse_apk_db.go +++ b/syft/pkg/cataloger/apkdb/parse_apk_db.go @@ -74,8 +74,9 @@ func parseApkDB(_ string, reader io.Reader) ([]*pkg.Package, []artifact.Relation return packages, nil, nil } -// nolint:funlen // parseApkDBEntry reads and parses a single pkg.ApkMetadata element from the stream, returning nil if their are no more entries. +// +//nolint:funlen func parseApkDBEntry(reader io.Reader) (*pkg.ApkMetadata, error) { var entry pkg.ApkMetadata pkgFields := make(map[string]interface{}) diff --git a/syft/pkg/cataloger/java/archive_filename.go b/syft/pkg/cataloger/java/archive_filename.go index 870e4ec7deb..e8815011920 100644 --- a/syft/pkg/cataloger/java/archive_filename.go +++ b/syft/pkg/cataloger/java/archive_filename.go @@ -36,17 +36,18 @@ import ( // This match group covers the "version-indicating" patterns mentioned in the above description. Given the pipes ( // '|'), this functions as a series of 'OR'-joined conditions: // -// \d.* ... "If it starts with a numeric digit, this is a version, no matter what follows." -// build\d*.* ... "If it starts with "build" and then a numeric digit immediately after, this is a version." -// rc?\d+(?:^[[:alpha:]].*)? ... "If it starts with "r" or "rc" and then one or more numeric digits immediately -// after, but no alpha characters right after that (in the same word), this is a version." +// \d.* ... "If it starts with a numeric digit, this is a version, no matter what follows." +// build\d*.* ... "If it starts with "build" and then a numeric digit immediately after, this is a version." +// rc?\d+(?:^[[:alpha:]].*)? ... "If it starts with "r" or "rc" and then one or more numeric digits immediately +// after, but no alpha characters right after that (in the same word), this is a version." // // Match examples: -// some-package-4.0.1 --> name="some-package", version="4.0.1" -// prefix.thing-4 --> name="prefix.thing", version="4" -// my-http2-server-5 --> name="my-http2-server", version="5" -// jetpack-build235-rc5 --> name="jetpack", version="build2.0-rc5" -// ironman-r4-2009 --> name="ironman", version="r4-2009" +// +// some-package-4.0.1 --> name="some-package", version="4.0.1" +// prefix.thing-4 --> name="prefix.thing", version="4" +// my-http2-server-5 --> name="my-http2-server", version="5" +// jetpack-build235-rc5 --> name="jetpack", version="build2.0-rc5" +// ironman-r4-2009 --> name="ironman", version="r4-2009" var nameAndVersionPattern = regexp.MustCompile(`(?Ui)^(?P(?:[[:alpha:]][[:word:].]*(?:\.[[:alpha:]][[:word:].]*)*-?)+)(?:-(?P(?:\d.*|(?:build\d*.*)|(?:rc?\d+(?:^[[:alpha:]].*)?))))?$`) type archiveFilename struct { diff --git a/syft/pkg/cataloger/java/parse_java_manifest.go b/syft/pkg/cataloger/java/parse_java_manifest.go index 7d9c7b7f621..688595b030f 100644 --- a/syft/pkg/cataloger/java/parse_java_manifest.go +++ b/syft/pkg/cataloger/java/parse_java_manifest.go @@ -14,9 +14,10 @@ import ( const manifestGlob = "/META-INF/MANIFEST.MF" -// nolint:funlen // parseJavaManifest takes MANIFEST.MF file content and returns sections of parsed key/value pairs. // For more information: https://docs.oracle.com/en/java/javase/11/docs/specs/jar/jar.html#jar-manifest +// +//nolint:funlen func parseJavaManifest(path string, reader io.Reader) (*pkg.JavaManifest, error) { var manifest pkg.JavaManifest var sections []map[string]string diff --git a/syft/pkg/cataloger/python/parse_setup.go b/syft/pkg/cataloger/python/parse_setup.go index 5a762fcbf10..c3943ff1e52 100644 --- a/syft/pkg/cataloger/python/parse_setup.go +++ b/syft/pkg/cataloger/python/parse_setup.go @@ -15,9 +15,10 @@ import ( var _ common.ParserFn = parseSetup // match examples: -// 'pathlib3==2.2.0;python_version<"3.6"' --> match(name=pathlib3 version=2.2.0) -// "mypy==v0.770", --> match(name=mypy version=v0.770) -// " mypy2 == v0.770", ' mypy3== v0.770', --> match(name=mypy2 version=v0.770), match(name=mypy3, version=v0.770) +// +// 'pathlib3==2.2.0;python_version<"3.6"' --> match(name=pathlib3 version=2.2.0) +// "mypy==v0.770", --> match(name=mypy version=v0.770) +// " mypy2 == v0.770", ' mypy3== v0.770', --> match(name=mypy2 version=v0.770), match(name=mypy3, version=v0.770) var pinnedDependency = regexp.MustCompile(`['"]\W?(\w+\W?==\W?[\w\.]*)`) func parseSetup(_ string, reader io.Reader) ([]*pkg.Package, []artifact.Relationship, error) { diff --git a/ui/event_handlers.go b/ui/event_handlers.go index 0c42984412c..43c04a9fb2d 100644 --- a/ui/event_handlers.go +++ b/ui/event_handlers.go @@ -74,8 +74,9 @@ func formatDockerPullPhase(phase docker.PullPhase, inputStr string) string { } } -// nolint:funlen // formatDockerImagePullStatus writes the docker image pull status summarized into a single line for the given state. +// +//nolint:funlen func formatDockerImagePullStatus(pullStatus *docker.PullStatus, spinner *components.Spinner, line *frame.Line) { var size, current uint64 @@ -397,8 +398,9 @@ func SecretsCatalogerStartedHandler(ctx context.Context, fr *frame.Frame, event return err } -//nolint:dupl // FileMetadataCatalogerStartedHandler shows the intermittent secrets searching progress. +// +//nolint:dupl func FileMetadataCatalogerStartedHandler(ctx context.Context, fr *frame.Frame, event partybus.Event, wg *sync.WaitGroup) error { prog, err := syftEventParsers.ParseFileMetadataCatalogingStarted(event) if err != nil { @@ -483,7 +485,8 @@ func FileIndexingStartedHandler(ctx context.Context, fr *frame.Frame, event part } // FileMetadataCatalogerStartedHandler shows the intermittent secrets searching progress. -// nolint:dupl +// +//nolint:dupl func FileDigestsCatalogerStartedHandler(ctx context.Context, fr *frame.Frame, event partybus.Event, wg *sync.WaitGroup) error { prog, err := syftEventParsers.ParseFileDigestsCatalogingStarted(event) if err != nil {