diff --git a/go.mod b/go.mod index ccc5bb4..bd7e40d 100644 --- a/go.mod +++ b/go.mod @@ -5,8 +5,10 @@ go 1.21.3 require ( github.com/anchore/bubbly v0.0.0-20231115205105-6542675d79fe github.com/anchore/clio v0.0.0-20240209204744-cb94e40a4f65 + github.com/anchore/go-collections v0.0.0-20240216171411-9321230ce537 github.com/anchore/go-logger v0.0.0-20230725134548-c21dafa1ec5a - github.com/anchore/syft v0.105.0 + github.com/anchore/stereoscope v0.0.2-0.20240221144950-cf0e754f5b56 + github.com/anchore/syft v0.105.2-0.20240227214437-a978966cadfc github.com/charmbracelet/bubbletea v0.25.0 github.com/charmbracelet/lipgloss v0.9.1 github.com/github/go-spdx/v2 v2.2.0 @@ -47,7 +49,6 @@ require ( github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 // indirect github.com/anchore/go-version v1.2.2-0.20200701162849-18adb9c92b9b // indirect github.com/anchore/packageurl-go v0.1.1-0.20240202171727-877e1747d426 // indirect - github.com/anchore/stereoscope v0.0.2-0.20240208195325-681f6715b0e3 // indirect github.com/andybalholm/brotli v1.0.4 // indirect github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46 // indirect github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492 // indirect diff --git a/go.sum b/go.sum index c977442..1eec3b4 100644 --- a/go.sum +++ b/go.sum @@ -95,6 +95,8 @@ github.com/anchore/clio v0.0.0-20240209204744-cb94e40a4f65 h1:u9XrEabKlGPsrmRvAE github.com/anchore/clio v0.0.0-20240209204744-cb94e40a4f65/go.mod h1:8Jr7CjmwFVcBPtkJdTpaAGHimoGJGfbExypjzOu87Og= github.com/anchore/fangs v0.0.0-20231201140849-5075d28d6d8b h1:L/djgY7ZbZ/38+wUtdkk398W3PIBJLkt1N8nU/7e47A= github.com/anchore/fangs v0.0.0-20231201140849-5075d28d6d8b/go.mod h1:TLcE0RE5+8oIx2/NPWem/dq1DeaMoC+fPEH7hoSzPLo= +github.com/anchore/go-collections v0.0.0-20240216171411-9321230ce537 h1:GjNGuwK5jWjJMyVppBjYS54eOiiSNv4Ba869k4wh72Q= +github.com/anchore/go-collections v0.0.0-20240216171411-9321230ce537/go.mod h1:1aiktV46ATCkuVg0O573ZrH56BUawTECPETbZyBcqT8= github.com/anchore/go-logger v0.0.0-20230725134548-c21dafa1ec5a h1:nJ2G8zWKASyVClGVgG7sfM5mwoZlZ2zYpIzN2OhjWkw= github.com/anchore/go-logger v0.0.0-20230725134548-c21dafa1ec5a/go.mod h1:ubLFmlsv8/DFUQrZwY5syT5/8Er3ugSr4rDFwHsE3hg= github.com/anchore/go-macholibre v0.0.0-20220308212642-53e6d0aaf6fb h1:iDMnx6LIjtjZ46C0akqveX83WFzhpTD3eqOthawb5vU= @@ -107,10 +109,10 @@ github.com/anchore/go-version v1.2.2-0.20200701162849-18adb9c92b9b h1:e1bmaoJfZV github.com/anchore/go-version v1.2.2-0.20200701162849-18adb9c92b9b/go.mod h1:Bkc+JYWjMCF8OyZ340IMSIi2Ebf3uwByOk6ho4wne1E= github.com/anchore/packageurl-go v0.1.1-0.20240202171727-877e1747d426 h1:agoiZchSf1Nnnos1azwIg5hk5Ao9TzZNBD9++AChGEg= github.com/anchore/packageurl-go v0.1.1-0.20240202171727-877e1747d426/go.mod h1:Blo6OgJNiYF41ufcgHKkbCKF2MDOMlrqhXv/ij6ocR4= -github.com/anchore/stereoscope v0.0.2-0.20240208195325-681f6715b0e3 h1:gnf3+0bYP6hsk/sQHdnLpqmilVUr/y6kIxzGCP6kUWA= -github.com/anchore/stereoscope v0.0.2-0.20240208195325-681f6715b0e3/go.mod h1:o0TqYkefad6kIPtmbigFKss7P48z4bjd8Vp5Wklbf3Y= -github.com/anchore/syft v0.105.0 h1:CG6D1wF4gfwVpF0o085Ym1FaWSK7sMz3B62nOk+0wH8= -github.com/anchore/syft v0.105.0/go.mod h1:qa0A9aliWCp0xpVA4tsB/S+aM+7VB9Fvjy8aWlDhbGU= +github.com/anchore/stereoscope v0.0.2-0.20240221144950-cf0e754f5b56 h1:iHvTXZA+qEozPGRRuW1Mv7r7w2fHeJdzWDx+YsSIbyg= +github.com/anchore/stereoscope v0.0.2-0.20240221144950-cf0e754f5b56/go.mod h1:evQiJMQG56Z7/L5uhA8kfhhjF6ESJUZzUH9ms6bQ2Co= +github.com/anchore/syft v0.105.2-0.20240227214437-a978966cadfc h1:DAKhgqCcFUxDdhbnt5oha3ffKB0HTrUYCWsnAnD0Vmc= +github.com/anchore/syft v0.105.2-0.20240227214437-a978966cadfc/go.mod h1:0YmPZeyOLJUmFPOsu3vLm0fERmvW5bQTmodzThMv89U= github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8= github.com/andybalholm/brotli v1.0.1/go.mod h1:loMXtMfwqflxFJPmdbJO0a3KNoPuLBgiu3qAvBg8x/Y= github.com/andybalholm/brotli v1.0.4 h1:V7DdXeJtZscaqfNuAdSRuRFzuiKlHSC/Zh3zl9qY3JY= @@ -1334,8 +1336,8 @@ modernc.org/mathutil v1.6.0 h1:fRe9+AmYlaej+64JsEEhoWuAYBkOtQiMEU7n/XgfYi4= modernc.org/mathutil v1.6.0/go.mod h1:Ui5Q9q1TR2gFm0AQRqQUaBWFLAhQpCwNcuhBOSedWPo= modernc.org/memory v1.7.2 h1:Klh90S215mmH8c9gO98QxQFsY+W451E8AnzjoE2ee1E= modernc.org/memory v1.7.2/go.mod h1:NO4NVCQy0N7ln+T9ngWqOQfi7ley4vpwvARR+Hjw95E= -modernc.org/sqlite v1.29.1 h1:19GY2qvWB4VPw0HppFlZCPAbmxFU41r+qjKZQdQ1ryA= -modernc.org/sqlite v1.29.1/go.mod h1:hG41jCYxOAOoO6BRK66AdRlmOcDzXf7qnwlwjUIOqa0= +modernc.org/sqlite v1.29.2 h1:xgBSyA3gemwgP31PWFfFjtBorQNYpeypGdoSDjXhrgI= +modernc.org/sqlite v1.29.2/go.mod h1:hG41jCYxOAOoO6BRK66AdRlmOcDzXf7qnwlwjUIOqa0= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= diff --git a/grant/case.go b/grant/case.go index 0a3ef7e..14ebc8d 100644 --- a/grant/case.go +++ b/grant/case.go @@ -14,8 +14,10 @@ import ( "github.com/google/licenseclassifier/v2/tools/identify_license/backend" "github.com/google/licenseclassifier/v2/tools/identify_license/results" + "github.com/anchore/go-collections" "github.com/anchore/grant/internal/log" "github.com/anchore/grant/internal/spdxlicense" + "github.com/anchore/stereoscope" "github.com/anchore/syft/syft" "github.com/anchore/syft/syft/cataloging/pkgcataloging" "github.com/anchore/syft/syft/format" @@ -24,6 +26,7 @@ import ( "github.com/anchore/syft/syft/pkg/cataloger/javascript" "github.com/anchore/syft/syft/sbom" "github.com/anchore/syft/syft/source" + "github.com/anchore/syft/syft/source/sourceproviders" ) // Case is a collection of SBOMs and Licenses that are evaluated for a given UserInput @@ -341,13 +344,8 @@ func grantLicenseFromClassifierResults(r results.LicenseTypes) []License { // TODO: is the default syft config good enough here? // we definitely need at least all the non default license magic turned on -func generateSyftSBOM(path string) (sb sbom.SBOM, err error) { - detection, err := source.Detect(path, source.DefaultDetectConfig()) - if err != nil { - return sb, err - } - - src, err := detection.NewSource(source.DefaultDetectionSourceConfig()) +func generateSyftSBOM(userInput string) (sb sbom.SBOM, err error) { + src, err := getSource(userInput) if err != nil { return sb, err } @@ -355,6 +353,19 @@ func generateSyftSBOM(path string) (sb sbom.SBOM, err error) { return sb, nil } +func getSource(userInput string) (source.Source, error) { + allSourceTags := collections.TaggedValueSet[source.Provider]{}.Join(sourceproviders.All("", nil)...).Tags() + + var sources []string + schemeSource, newUserInput := stereoscope.ExtractSchemeSource(userInput, allSourceTags...) + if schemeSource != "" { + sources = []string{schemeSource} + userInput = newUserInput + } + + return syft.GetSource(context.Background(), userInput, syft.DefaultGetSourceConfig().WithSources(sources...)) +} + func getSBOM(src source.Source) sbom.SBOM { createSBOMConfig := syft.DefaultCreateSBOMConfig() createSBOMConfig.WithPackagesConfig(