anchore · kzantow · Feb 28, 2024 · Feb 23, 2024 · Feb 27, 2024 · Feb 27, 2024
diff --git a/go.mod b/go.mod
@@ -5,8 +5,10 @@ go 1.21.3
 require (
 	github.com/anchore/bubbly v0.0.0-20231115205105-6542675d79fe
 	github.com/anchore/clio v0.0.0-20240209204744-cb94e40a4f65
+	github.com/anchore/go-collections v0.0.0-20240216171411-9321230ce537
 	github.com/anchore/go-logger v0.0.0-20230725134548-c21dafa1ec5a
-	github.com/anchore/syft v0.105.0
+	github.com/anchore/stereoscope v0.0.2-0.20240221144950-cf0e754f5b56
+	github.com/anchore/syft v0.105.2-0.20240227214437-a978966cadfc
 	github.com/charmbracelet/bubbletea v0.25.0
 	github.com/charmbracelet/lipgloss v0.9.1
 	github.com/github/go-spdx/v2 v2.2.0
@@ -47,7 +49,6 @@ require (
 	github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 // indirect
 	github.com/anchore/go-version v1.2.2-0.20200701162849-18adb9c92b9b // indirect
 	github.com/anchore/packageurl-go v0.1.1-0.20240202171727-877e1747d426 // indirect
-	github.com/anchore/stereoscope v0.0.2-0.20240208195325-681f6715b0e3 // indirect
 	github.com/andybalholm/brotli v1.0.4 // indirect
 	github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46 // indirect
 	github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492 // indirect

diff --git a/go.sum b/go.sum
@@ -95,6 +95,8 @@ github.com/anchore/clio v0.0.0-20240209204744-cb94e40a4f65 h1:u9XrEabKlGPsrmRvAE
 github.com/anchore/clio v0.0.0-20240209204744-cb94e40a4f65/go.mod h1:8Jr7CjmwFVcBPtkJdTpaAGHimoGJGfbExypjzOu87Og=
 github.com/anchore/fangs v0.0.0-20231201140849-5075d28d6d8b h1:L/djgY7ZbZ/38+wUtdkk398W3PIBJLkt1N8nU/7e47A=
 github.com/anchore/fangs v0.0.0-20231201140849-5075d28d6d8b/go.mod h1:TLcE0RE5+8oIx2/NPWem/dq1DeaMoC+fPEH7hoSzPLo=
+github.com/anchore/go-collections v0.0.0-20240216171411-9321230ce537 h1:GjNGuwK5jWjJMyVppBjYS54eOiiSNv4Ba869k4wh72Q=
+github.com/anchore/go-collections v0.0.0-20240216171411-9321230ce537/go.mod h1:1aiktV46ATCkuVg0O573ZrH56BUawTECPETbZyBcqT8=
 github.com/anchore/go-logger v0.0.0-20230725134548-c21dafa1ec5a h1:nJ2G8zWKASyVClGVgG7sfM5mwoZlZ2zYpIzN2OhjWkw=
 github.com/anchore/go-logger v0.0.0-20230725134548-c21dafa1ec5a/go.mod h1:ubLFmlsv8/DFUQrZwY5syT5/8Er3ugSr4rDFwHsE3hg=
 github.com/anchore/go-macholibre v0.0.0-20220308212642-53e6d0aaf6fb h1:iDMnx6LIjtjZ46C0akqveX83WFzhpTD3eqOthawb5vU=
@@ -107,10 +109,10 @@ github.com/anchore/go-version v1.2.2-0.20200701162849-18adb9c92b9b h1:e1bmaoJfZV
 github.com/anchore/go-version v1.2.2-0.20200701162849-18adb9c92b9b/go.mod h1:Bkc+JYWjMCF8OyZ340IMSIi2Ebf3uwByOk6ho4wne1E=
 github.com/anchore/packageurl-go v0.1.1-0.20240202171727-877e1747d426 h1:agoiZchSf1Nnnos1azwIg5hk5Ao9TzZNBD9++AChGEg=
 github.com/anchore/packageurl-go v0.1.1-0.20240202171727-877e1747d426/go.mod h1:Blo6OgJNiYF41ufcgHKkbCKF2MDOMlrqhXv/ij6ocR4=
-github.com/anchore/stereoscope v0.0.2-0.20240208195325-681f6715b0e3 h1:gnf3+0bYP6hsk/sQHdnLpqmilVUr/y6kIxzGCP6kUWA=
-github.com/anchore/stereoscope v0.0.2-0.20240208195325-681f6715b0e3/go.mod h1:o0TqYkefad6kIPtmbigFKss7P48z4bjd8Vp5Wklbf3Y=
-github.com/anchore/syft v0.105.0 h1:CG6D1wF4gfwVpF0o085Ym1FaWSK7sMz3B62nOk+0wH8=
-github.com/anchore/syft v0.105.0/go.mod h1:qa0A9aliWCp0xpVA4tsB/S+aM+7VB9Fvjy8aWlDhbGU=
+github.com/anchore/stereoscope v0.0.2-0.20240221144950-cf0e754f5b56 h1:iHvTXZA+qEozPGRRuW1Mv7r7w2fHeJdzWDx+YsSIbyg=
+github.com/anchore/stereoscope v0.0.2-0.20240221144950-cf0e754f5b56/go.mod h1:evQiJMQG56Z7/L5uhA8kfhhjF6ESJUZzUH9ms6bQ2Co=
+github.com/anchore/syft v0.105.2-0.20240227214437-a978966cadfc h1:DAKhgqCcFUxDdhbnt5oha3ffKB0HTrUYCWsnAnD0Vmc=
+github.com/anchore/syft v0.105.2-0.20240227214437-a978966cadfc/go.mod h1:0YmPZeyOLJUmFPOsu3vLm0fERmvW5bQTmodzThMv89U=
 github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8=
 github.com/andybalholm/brotli v1.0.1/go.mod h1:loMXtMfwqflxFJPmdbJO0a3KNoPuLBgiu3qAvBg8x/Y=
 github.com/andybalholm/brotli v1.0.4 h1:V7DdXeJtZscaqfNuAdSRuRFzuiKlHSC/Zh3zl9qY3JY=
@@ -1334,8 +1336,8 @@ modernc.org/mathutil v1.6.0 h1:fRe9+AmYlaej+64JsEEhoWuAYBkOtQiMEU7n/XgfYi4=
 modernc.org/mathutil v1.6.0/go.mod h1:Ui5Q9q1TR2gFm0AQRqQUaBWFLAhQpCwNcuhBOSedWPo=
 modernc.org/memory v1.7.2 h1:Klh90S215mmH8c9gO98QxQFsY+W451E8AnzjoE2ee1E=
 modernc.org/memory v1.7.2/go.mod h1:NO4NVCQy0N7ln+T9ngWqOQfi7ley4vpwvARR+Hjw95E=
-modernc.org/sqlite v1.29.1 h1:19GY2qvWB4VPw0HppFlZCPAbmxFU41r+qjKZQdQ1ryA=
-modernc.org/sqlite v1.29.1/go.mod h1:hG41jCYxOAOoO6BRK66AdRlmOcDzXf7qnwlwjUIOqa0=
+modernc.org/sqlite v1.29.2 h1:xgBSyA3gemwgP31PWFfFjtBorQNYpeypGdoSDjXhrgI=
+modernc.org/sqlite v1.29.2/go.mod h1:hG41jCYxOAOoO6BRK66AdRlmOcDzXf7qnwlwjUIOqa0=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=

diff --git a/grant/case.go b/grant/case.go
@@ -14,8 +14,10 @@ import (
 	"github.com/google/licenseclassifier/v2/tools/identify_license/backend"
 	"github.com/google/licenseclassifier/v2/tools/identify_license/results"
 
+	"github.com/anchore/go-collections"
 	"github.com/anchore/grant/internal/log"
 	"github.com/anchore/grant/internal/spdxlicense"
+	"github.com/anchore/stereoscope"
 	"github.com/anchore/syft/syft"
 	"github.com/anchore/syft/syft/cataloging/pkgcataloging"
 	"github.com/anchore/syft/syft/format"
@@ -24,6 +26,7 @@ import (
 	"github.com/anchore/syft/syft/pkg/cataloger/javascript"
 	"github.com/anchore/syft/syft/sbom"
 	"github.com/anchore/syft/syft/source"
+	"github.com/anchore/syft/syft/source/sourceproviders"
 )
 
 // Case is a collection of SBOMs and Licenses that are evaluated for a given UserInput
@@ -341,20 +344,28 @@ func grantLicenseFromClassifierResults(r results.LicenseTypes) []License {
 
 // TODO: is the default syft config good enough here?
 // we definitely need at least all the non default license magic turned on
-func generateSyftSBOM(path string) (sb sbom.SBOM, err error) {
-	detection, err := source.Detect(path, source.DefaultDetectConfig())
-	if err != nil {
-		return sb, err
-	}
-
-	src, err := detection.NewSource(source.DefaultDetectionSourceConfig())
+func generateSyftSBOM(userInput string) (sb sbom.SBOM, err error) {
+	src, err := getSource(userInput)
 	if err != nil {
 		return sb, err
 	}
 	sb = getSBOM(src)
 	return sb, nil
 }
 
+func getSource(userInput string) (source.Source, error) {
+	allSourceTags := collections.TaggedValueSet[source.Provider]{}.Join(sourceproviders.All("", nil)...).Tags()
+
+	var sources []string
+	schemeSource, newUserInput := stereoscope.ExtractSchemeSource(userInput, allSourceTags...)
+	if schemeSource != "" {
+		sources = []string{schemeSource}
+		userInput = newUserInput
+	}
+
+	return syft.GetSource(context.Background(), userInput, syft.DefaultGetSourceConfig().WithSources(sources...))
+}
+
 func getSBOM(src source.Source) sbom.SBOM {
 	createSBOMConfig := syft.DefaultCreateSBOMConfig()
 	createSBOMConfig.WithPackagesConfig(