Improve package URL support (anchore#754)

* rename npm metadata struct Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * improve os package URLs Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * improve language package URLs Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * wire up composer pURL method Signed-off-by: Alex Goodman <alex.goodman@anchore.com> Signed-off-by: fsl <1171313930@qq.com>
fengshunli · Jan 24, 2022 · 7893b19 · 7893b19
1 parent e69beac
commit 7893b19
Show file tree

Hide file tree

Showing 18 changed files with 501 additions and 296 deletions.
diff --git a/syft/pkg/apk_metadata.go b/syft/pkg/apk_metadata.go
@@ -3,15 +3,18 @@ package pkg
 import (
 	"sort"
 
-	"github.com/anchore/syft/syft/file"
-
 	"github.com/anchore/packageurl-go"
+	"github.com/anchore/syft/syft/file"
+	"github.com/anchore/syft/syft/linux"
 	"github.com/scylladb/go-set/strset"
 )
 
 const ApkDBGlob = "**/lib/apk/db/installed"
 
-var _ FileOwner = (*ApkMetadata)(nil)
+var (
+	_ FileOwner     = (*ApkMetadata)(nil)
+	_ urlIdentifier = (*ApkMetadata)(nil)
+)
 
 // ApkMetadata represents all captured data for a Alpine DB package entry.
 // See the following sources for more information:
@@ -45,22 +48,22 @@ type ApkFileRecord struct {
 }
 
 // PackageURL returns the PURL for the specific Alpine package (see https://github.com/package-url/purl-spec)
-func (m ApkMetadata) PackageURL() string {
-	pURL := packageurl.NewPackageURL(
+func (m ApkMetadata) PackageURL(distro *linux.Release) string {
+	return packageurl.NewPackageURL(
 		// note: this is currently a candidate and not technically within spec
 		// see https://github.com/package-url/purl-spec#other-candidate-types-to-define
 		"alpine",
 		"",
 		m.Package,
 		m.Version,
-		packageurl.Qualifiers{
-			{
-				Key:   "arch",
-				Value: m.Architecture,
+		purlQualifiers(
+			map[string]string{
+				purlArchQualifier: m.Architecture,
 			},
-		},
-		"")
-	return pURL.ToString()
+			distro,
+		),
+		"",
+	).ToString()
 }
 
 func (m ApkMetadata) OwnedFiles() (result []string) {

diff --git a/syft/pkg/apk_metadata_test.go b/syft/pkg/apk_metadata_test.go
@@ -1,6 +1,7 @@
 package pkg
 
 import (
+	"github.com/anchore/syft/syft/linux"
 	"strings"
 	"testing"
 
@@ -11,16 +12,35 @@ import (
 
 func TestApkMetadata_pURL(t *testing.T) {
 	tests := []struct {
+		name     string
 		metadata ApkMetadata
+		distro   linux.Release
 		expected string
 	}{
 		{
+			name: "gocase",
 			metadata: ApkMetadata{
 				Package:      "p",
 				Version:      "v",
 				Architecture: "a",
 			},
-			expected: "pkg:alpine/p@v?arch=a",
+			distro: linux.Release{
+				ID:        "alpine",
+				VersionID: "3.4.6",
+			},
+			expected: "pkg:alpine/p@v?arch=a&distro=alpine-3.4.6",
+		},
+		{
+			name: "missing architecure",
+			metadata: ApkMetadata{
+				Package: "p",
+				Version: "v",
+			},
+			distro: linux.Release{
+				ID:        "alpine",
+				VersionID: "3.4.6",
+			},
+			expected: "pkg:alpine/p@v?distro=alpine-3.4.6",
 		},
 		// verify #351
 		{
@@ -29,21 +49,29 @@ func TestApkMetadata_pURL(t *testing.T) {
 				Version:      "v84",
 				Architecture: "am86",
 			},
-			expected: "pkg:alpine/g++@v84?arch=am86",
+			distro: linux.Release{
+				ID:        "alpine",
+				VersionID: "3.4.6",
+			},
+			expected: "pkg:alpine/g++@v84?arch=am86&distro=alpine-3.4.6",
 		},
 		{
 			metadata: ApkMetadata{
 				Package:      "g plus plus",
 				Version:      "v84",
 				Architecture: "am86",
 			},
-			expected: "pkg:alpine/g%20plus%20plus@v84?arch=am86",
+			distro: linux.Release{
+				ID:        "alpine",
+				VersionID: "3.15.0",
+			},
+			expected: "pkg:alpine/g%20plus%20plus@v84?arch=am86&distro=alpine-3.15.0",
 		},
 	}
 
 	for _, test := range tests {
-		t.Run(test.expected, func(t *testing.T) {
-			actual := test.metadata.PackageURL()
+		t.Run(test.name, func(t *testing.T) {
+			actual := test.metadata.PackageURL(&test.distro)
 			if actual != test.expected {
 				dmp := diffmatchpatch.New()
 				diffs := dmp.DiffMain(test.expected, actual, true)

diff --git a/syft/pkg/cataloger/catalog.go b/syft/pkg/cataloger/catalog.go
@@ -68,7 +68,7 @@ func Catalog(resolver source.FileResolver, release *linux.Release, catalogers ..
 			p.CPEs = cpe.Generate(p)
 
 			// generate PURL (note: this is excluded from package ID, so is safe to mutate)
-			p.PURL = generatePackageURL(p, release)
+			p.PURL = pkg.URL(p, release)
 
 			// create file-to-package relationships for files owned by the package
 			owningRelationships, err := packageFileOwnershipRelationships(p, resolver)

diff --git a/syft/pkg/cataloger/package_url.go b/syft/pkg/cataloger/package_url.go
diff --git a/syft/pkg/cataloger/package_url_test.go b/syft/pkg/cataloger/package_url_test.go