Bump Syft from 0.60.3 to 0.66.1 (#440)

* Bump github.com/anchore/syft from 0.60.3 to 0.65.0 Bumps [github.com/anchore/syft](https://github.com/anchore/syft) from 0.60.3 to 0.65.0. - [Release notes](https://github.com/anchore/syft/releases) - [Changelog](https://github.com/anchore/syft/blob/main/.goreleaser.yaml) - [Commits](anchore/syft@v0.60.3...v0.65.0) --- updated-dependencies: - dependency-name: github.com/anchore/syft dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * Bump Syft from 0.60.3 to 0.66.1 - Adds internal SPDX 2.2 support, sine Syft 0.66.1 supports 2.3 - Clean up Syft and CycloneDX models, and update test fixtures - Fixes long-failing SBOM test failures - Add clarifying comments Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
paketo-buildpacks · Jan 17, 2023 · f959f31 · f959f31
1 parent ac9385b
commit f959f31
Show file tree

Hide file tree

Showing 80 changed files with 3,228 additions and 2,096 deletions.
diff --git a/go.mod b/go.mod
@@ -5,18 +5,18 @@ go 1.16
 require (
 	github.com/BurntSushi/toml v1.2.1
 	github.com/Masterminds/semver/v3 v3.2.0
-	github.com/anchore/go-testutils v0.0.0-20200925183923-d5f45b0d3c04
 	github.com/anchore/go-version v1.2.2-0.20200701162849-18adb9c92b9b
-	github.com/anchore/stereoscope v0.0.0-20221006201143-d24c9d626b33
-	github.com/anchore/syft v0.60.3
+	github.com/anchore/packageurl-go v0.1.1-0.20230104203445-02e0a6721501
+	github.com/anchore/syft v0.66.1
+	github.com/apex/log v1.1.4
 	github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5
 	github.com/gabriel-vasile/mimetype v1.4.1
-	github.com/google/go-cmp v0.5.9
 	github.com/google/uuid v1.3.0
 	github.com/onsi/gomega v1.24.2
 	github.com/pelletier/go-toml v1.9.5
 	github.com/sclevine/spec v1.4.0
 	github.com/scylladb/go-set v1.0.3-0.20200225121959-cc7b2070d91e
+	github.com/spdx/tools-golang v0.3.1-0.20221108182156-8a01147e6342
 	github.com/sergi/go-diff v1.3.1
 	github.com/stretchr/testify v1.8.1
 	github.com/ulikunitz/xz v0.5.11

diff --git a/go.sum b/go.sum
diff --git a/sbom/formatted_reader_test.go b/sbom/formatted_reader_test.go
@@ -119,8 +119,8 @@ func testFormattedReader(t *testing.T, context spec.G, it spec.S) {
 
 			// Ensures pretty printing
 			Expect(buffer.String()).To(ContainSubstring(`{
- "SPDXID": "SPDXRef-DOCUMENT",
- "creationInfo": {`))
+ "Reviews": null,
+ "SPDXID": "SPDXRef-DOCUMENT"`))
 
 			var spdxOutput spdxOutput
 
@@ -137,7 +137,7 @@ func testFormattedReader(t *testing.T, context spec.G, it spec.S) {
 			Expect(spdxOutput.Packages[5].Name).To(Equal("wrappy"), buffer.String())
 
 			// Ensure documentNamespace and creationInfo.created have reproducible values
-			Expect(spdxOutput.DocumentNamespace).To(Equal("https://paketo.io/packit/dir/testdata-5eb1cfc4-105b-5002-b80e-04a3f4cef71b"), buffer.String())
+			Expect(spdxOutput.DocumentNamespace).To(Equal("https://paketo.io/packit/dir/testdata-d359f27c-86a7-5551-b971-9c7afd003959"), buffer.String())
 			Expect(spdxOutput.CreationInfo.Created).To(BeZero(), buffer.String())
 
 			rerunBuffer := bytes.NewBuffer(nil)
@@ -186,7 +186,7 @@ func testFormattedReader(t *testing.T, context spec.G, it spec.S) {
 					Expect(spdxOutput.Packages[5].Name).To(Equal("wrappy"), buffer.String())
 
 					// Ensure documentNamespace and creationInfo.created have reproducible values
-					Expect(spdxOutput.DocumentNamespace).To(Equal("https://paketo.io/packit/dir/testdata-e4c3c453-ddc9-5920-995f-5a1a8472b6e8"), buffer.String())
+					Expect(spdxOutput.DocumentNamespace).To(Equal("https://paketo.io/packit/dir/testdata-c6ae45ee-2cee-584a-b637-9de3c8486856"), buffer.String())
 					Expect(spdxOutput.CreationInfo.Created).To(Equal(time.Unix(1659551872, 0).UTC()), buffer.String())
 
 					rerunBuffer := bytes.NewBuffer(nil)
@@ -272,7 +272,7 @@ func testFormattedReader(t *testing.T, context spec.G, it spec.S) {
 		Expect(rerunBuffer.String()).To(Equal(buffer.String()))
 	})
 
-	it("writes the SBOM in the latest Syft format (3.*)", func() {
+	it("writes the SBOM in the latest Syft format (6.*)", func() {
 		buffer := bytes.NewBuffer(nil)
 		_, err := io.Copy(buffer, sbom.NewFormattedReader(bom, sbom.Format(syft.JSONFormatID)))
 		Expect(err).NotTo(HaveOccurred())
@@ -282,7 +282,7 @@ func testFormattedReader(t *testing.T, context spec.G, it spec.S) {
 		err = json.Unmarshal(buffer.Bytes(), &syftOutput)
 		Expect(err).NotTo(HaveOccurred(), buffer.String())
 
-		Expect(syftOutput.Schema.Version).To(MatchRegexp(`3\.\d+\.\d+`), buffer.String())
+		Expect(syftOutput.Schema.Version).To(MatchRegexp(`6\.\d+\.\d+`), buffer.String())
 
 		Expect(syftOutput.Source.Type).To(Equal("directory"), buffer.String())
 		Expect(syftOutput.Source.Target).To(Equal("testdata/"), buffer.String())

diff --git a/sbom/init_test.go b/sbom/init_test.go
@@ -8,7 +8,7 @@ import (
 	"github.com/sclevine/spec/report"
 )
 
-func TestSBOM(t *testing.T) {
+func TestUnitSBOM(t *testing.T) {
 	format.MaxLength = 0
 
 	suite := spec.New("sbom", spec.Report(report.Terminal{}))

diff --git a/sbom/internal/formats/common/testutils/utils.go b/sbom/internal/formats/common/testutils/utils.go
diff --git a/sbom/internal/formats/cyclonedx13/cyclonedx/README.md b/sbom/internal/formats/cyclonedx13/cyclonedx/README.md
@@ -8,3 +8,5 @@ which [supports CycloneDX Spec version
 Only the portions of the package that are strictly necessary for SBOM encoding
 have been included here.
 
+
+This is required because the upstream code base does not support versioned specs.
diff --git a/sbom/internal/formats/cyclonedx13/cyclonedxhelpers/README.md b/sbom/internal/formats/cyclonedx13/cyclonedxhelpers/README.md
@@ -4,6 +4,9 @@ internal `cyclonedxhelpers` package. The version copied is from an [old
 commit](https://github.com/anchore/syft/blob/a86dd3704efdb19aea22774eb7e099d4e85d41e4/internal/formats/common/cyclonedxhelpers)
 of Syft that supports CycloneDX JSON Schema 1.3.
 
+Any helpers here remain because they contain 1.3-specific logic, so we cannot
+use upstream code.
+
 The implementation of `decoder` has been omitted for
 simplicity, since it is not required for buildpacks' SBOM generation.
 
diff --git a/sbom/internal/formats/cyclonedx13/cyclonedxhelpers/author.go b/sbom/internal/formats/cyclonedx13/cyclonedxhelpers/author.go
@@ -7,6 +7,8 @@ import (
 	"github.com/anchore/syft/syft/pkg"
 )
 
+// We must copy this helper in because it's not exported from
+// syft/formats/common/cyclonedxhelpers
 func encodeAuthor(p pkg.Package) string {
 	if hasMetadata(p) {
 		switch metadata := p.Metadata.(type) {

diff --git a/sbom/internal/formats/cyclonedx13/cyclonedxhelpers/component.go b/sbom/internal/formats/cyclonedx13/cyclonedxhelpers/component.go
@@ -6,6 +6,8 @@ import (
 )
 
 // Relies on cycloneDX published structs
+// We must copy this helper in because it's not exported from
+// syft/formats/common/cyclonedxhelpers
 func encodeComponent(p pkg.Package) cyclonedx.Component {
 	props := encodeProperties(p, "syft:package")
 	props = append(props, encodeCPEs(p)...)