You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Join the community meeting on October 12 where we will be discussing new features being added to syft and the inflight cataloger work. Calendar Link
To see the current open cataloger requests check out the list here. If an issue is not assigned it is open for anyone to contribute.
What is a Cataloger
A cataloger is syft's term for a module that knows how to detect and analyze components from a particular package manager or ecosystem.
If you're interested in contributing a new cataloger take a look at the below documentation. The issue also goes further into how to start thinking about what type of cataloger you contribute after selecting the ecosystem. If you have questions you can always @anchore/tools on this thread and we will come by and answer any questions you have. Developing.MD
Be sure to following the Contributing documentation when authoring your feature!
Types of Cataloger
Catalogers generally come in two flavors:
Declared package Cataloger
One type of cataloger describes declared packages. These catalogers are used by default when scanning directories ("directory catalogers"). The default list can be found here:
These catalogers tend to be when you are parsing manifest files for package managers (e.g. python requirements.txt, a ruby gemfile.lock, javascript package.json).
The second type of cataloger is one that catalogs installed packages. These catalogers are used by default when scanning container images ("image catalogers"). This tends to be when you are parsing files that are left behind by package managers when you use them to install software packages (e.g. the RPM database, python egg or wheel metadata, etc.). The default list used for image scanning can be found here:
Make sure to read through different cataloger examples to be sure you're including all required information for a syft package. The above examples have been cut down for brevity, but other important fields like purl, licenses, and locations should also be considered.
How to write a cataloger
Before getting started in implementing a cataloger you need to determine which one you are trying to build from the above flavors. If you’re not sure about which of the above flavors you’re trying to implement, feel free to tag the @anchore/tools in the issue - we’re always happy to answer questions or help with the design of new features.
Examples
Here are some good example of catalogers added recently to work off of when considering the contribution:
This function is what does all of the work in a cataloger. It takes a io.Reader to a file that contains content to be cataloged, in this case a stack.yaml file
This object pairs up a parser function with one or more globs to files that should be cataloged, in this case **/stack.yaml files. For a primer on globs see the previous link from this issue.
Lastly you need to wire up your cataloger into that syft will use at runtime. As mentioned earlier, there are two kinds of catalogers (and not necessarily mutually exclusive), so you’ll need to add your cataloger to one or both lists.
As maintainers we're always happy to help guide this process so if you're interested please feel free to tag @anchore/tools in any of the spaces you might have questions.
The text was updated successfully, but these errors were encountered:
Contributing New Catalogers to Syft
Join the community meeting on October 12 where we will be discussing new features being added to syft and the inflight cataloger work. Calendar Link
To see the current open cataloger requests check out the list here. If an issue is not assigned it is open for anyone to contribute.
What is a Cataloger
A cataloger is syft's term for a module that knows how to detect and analyze components from a particular package manager or ecosystem.
If you're interested in contributing a new cataloger take a look at the below documentation. The issue also goes further into how to start thinking about what type of cataloger you contribute after selecting the ecosystem. If you have questions you can always @anchore/tools on this thread and we will come by and answer any questions you have.
Developing.MD
Be sure to following the Contributing documentation when authoring your feature!
Types of Cataloger
Catalogers generally come in two flavors:
Declared package Cataloger
One type of cataloger describes declared packages. These catalogers are used by default when scanning directories ("directory catalogers"). The default list can be found here:
syft/README.md
Lines 185 to 215 in 44e5480
Example:
Given this
package-lock.json
Syft would construct this package
Installed
The second type of cataloger is one that catalogs installed packages. These catalogers are used by default when scanning container images ("image catalogers"). This tends to be when you are parsing files that are left behind by package managers when you use them to install software packages (e.g. the RPM database, python egg or wheel metadata, etc.). The default list used for image scanning can be found here:
syft/README.md
Lines 166 to 183 in 38d5ef2
Example:
The ALPM cataloger searches for
desc
files using the following glob:**/var/lib/pacman/local/**/desc
. Here is a quick primer on glob matching.So given a
desc
file like below is found:Syft would construct:
IMPORTANT
Make sure to read through different cataloger examples to be sure you're including all required information for a syft package. The above examples have been cut down for brevity, but other important fields like
purl
,licenses
, andlocations
should also be considered.How to write a cataloger
Before getting started in implementing a cataloger you need to determine which one you are trying to build from the above flavors. If you’re not sure about which of the above flavors you’re trying to implement, feel free to tag the @anchore/tools in the issue - we’re always happy to answer questions or help with the design of new features.
Examples
Here are some good example of catalogers added recently to work off of when considering the contribution:
Components of a Cataloger
Let's take a look at a single cataloger and its constituent components and how it gets wired up into syft, starting with the Haskell cataloger:
The parser function
This function is what does all of the work in a cataloger. It takes a
io.Reader
to a file that contains content to be cataloged, in this case a stack.yaml fileThe cataloger object itself,
This object pairs up a parser function with one or more globs to files that should be cataloged, in this case **/stack.yaml files. For a primer on
globs
see the previous link from this issue.The list of catalogers
Lastly you need to wire up your cataloger into that syft will use at runtime. As mentioned earlier, there are two kinds of catalogers (and not necessarily mutually exclusive), so you’ll need to add your cataloger to one or both lists.
After looking through the above examples section, the developing document is the best place to head next for details on building a new cataloger:
https://github.com/anchore/syft/blob/main/DEVELOPING.md#building-a-new-cataloger
Summary
As maintainers we're always happy to help guide this process so if you're interested please feel free to tag @anchore/tools in any of the spaces you might have questions.
The text was updated successfully, but these errors were encountered: