Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add package for go compiler given binary detection #2195

Merged
merged 12 commits into from
Oct 6, 2023
Merged

feat: add package for go compiler given binary detection #2195

merged 12 commits into from
Oct 6, 2023

Conversation

spiffcs
Copy link
Contributor

@spiffcs spiffcs commented Oct 4, 2023
edited by wagoodman

Syft currently has a Golang binary cataloger. This PR adds a unique synthetic package to the SBOM output that represents the go compiler when detected as a part of the go binary cataloger.

When using an SBOM generated by syft - downstream vulnerability scanners now have the opportunity to detect/report on the PURL/CPEs attached to the new package.

One more piece of work should be doing a bit more string parsing on the go version to identify rc and other candidate releases to improve CPE generation. I'll make those changes before we review.

Closes #1853

@spiffcs
feat: add cpe generation for golang compiler
5c16036 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@spiffcs
feat: append CPE for detecting go compiler version
315c57a 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@spiffcs
test: add integration test for detectecing go compiler version
a1894b5 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@spiffcs
test: update integration tests to cover compiler detection
d66e4cc 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@spiffcs
fix: remove incidental wip commit
1ca17dd 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@spiffcs
feat: lift compiler package creation to individual per location set
5617c1b 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@spiffcs spiffcs requested a review from wagoodman October 5, 2023 13:01
@spiffcs spiffcs marked this pull request as ready for review October 5, 2023 13:01
@spiffcs
test: clean up integration tests adding new package and version
ea15f25 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@spiffcs
fix: unique compiler package per unique location set
654145c 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@spiffcs
chore: use location set implementation
305c465 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@spiffcs
fix: update cpe generation and add unit test
0d0d16c 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@spiffcs spiffcs added the blocked Progress is being stopped by something label Oct 6, 2023
@spiffcs
Copy link
Contributor Author

spiffcs commented Oct 6, 2023

Blocked on #2201

Will merge after review and 2201 is merged into main

@spiffcs
Merge branch 'main' into go-compiler-version
5a87a12 
* main:
  chore: update license list to 3.22 (#2201)
  Add exact syntax of the conversion formats (#2196)
  chore(deps): bump github.com/saferwall/pe from 1.4.6 to 1.4.7 (#2198)
  chore(deps): bump golang.org/x/mod from 0.12.0 to 0.13.0 (#2199)
  chore: removes unnecessary conditional (#2194)
@spiffcs spiffcs removed the blocked Progress is being stopped by something label Oct 6, 2023
@spiffcs
test: update integration test to use new name
add430f 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
wagoodman
wagoodman approved these changes Oct 6, 2023
View reviewed changes
Copy link
Contributor

@wagoodman wagoodman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🙌

@spiffcs spiffcs merged commit f6c8057 into main Oct 6, 2023
9 checks passed
@spiffcs spiffcs deleted the go-compiler-version branch October 6, 2023 17:15
@spiffcs spiffcs mentioned this pull request Oct 9, 2023
Closed
@chenrui333 chenrui333 mentioned this pull request Oct 10, 2023
Merged
@westonsteimel westonsteimel mentioned this pull request Feb 16, 2024
Closed
GijsCalis pushed a commit to GijsCalis/syft that referenced this pull request Feb 19, 2024
@spiffcs
feat: add package for go compiler given binary detection (anchore#2195)
5fbaefc 
adds a unique synthetic package to the SBOM output that represents the go compiler when it is detected as a part of a package discovered by the go binary cataloger.

When using an SBOM generated by syft - downstream vulnerability scanners now have the opportunity to detect/report on the PURL/CPEs attached to the new stdlib package.
---------

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@sunwhawhang sunwhawhang mentioned this pull request Apr 3, 2024
Open
@sunwhawhang sunwhawhang mentioned this pull request Apr 11, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wagoodman wagoodman wagoodman approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add Golang STD library package given a Golang binary has been discovered compiled with that go binary
2 participants
@spiffcs @wagoodman