github.com/anchore/syft@v1.38.2/internal/task/relationship_tasks.go

github.com/anchore/syft@v1.38.2/internal/task/relationship_tasks.go (about)

     1  package task
     2  
     3  import (
     4  	"context"
     5  
     6  	"github.com/anchore/syft/internal/relationship"
     7  	"github.com/anchore/syft/internal/relationship/binary"
     8  	"github.com/anchore/syft/internal/sbomsync"
     9  	"github.com/anchore/syft/syft/artifact"
    10  	"github.com/anchore/syft/syft/cataloging"
    11  	"github.com/anchore/syft/syft/file"
    12  	"github.com/anchore/syft/syft/sbom"
    13  	"github.com/anchore/syft/syft/source"
    14  )
    15  
    16  var _ artifact.Identifiable = (*sourceIdentifierAdapter)(nil)
    17  
    18  type sourceIdentifierAdapter struct {
    19  	desc source.Description
    20  }
    21  
    22  func (s sourceIdentifierAdapter) ID() artifact.ID {
    23  	return artifact.ID(s.desc.ID)
    24  }
    25  
    26  func NewRelationshipsTask(cfg cataloging.RelationshipsConfig, src source.Description) Task {
    27  	fn := func(_ context.Context, resolver file.Resolver, builder sbomsync.Builder) error {
    28  		finalizeRelationships(
    29  			resolver,
    30  			builder,
    31  			cfg,
    32  			&sourceIdentifierAdapter{desc: src})
    33  
    34  		return nil
    35  	}
    36  
    37  	return NewTask("relationships-cataloger", fn)
    38  }
    39  
    40  func finalizeRelationships(resolver file.Resolver, builder sbomsync.Builder, cfg cataloging.RelationshipsConfig, src artifact.Identifiable) {
    41  	accessor := builder.(sbomsync.Accessor)
    42  
    43  	// remove ELF packages and Binary packages that are already
    44  	// represented by a source package (e.g. a package that is evident by some package manager)
    45  	builder.DeletePackages(binary.PackagesToRemove(accessor)...)
    46  
    47  	// add relationships showing packages that are evident by a file which is owned by another package (package-to-package)
    48  	if cfg.PackageFileOwnershipOverlap {
    49  		relationship.ByFileOwnershipOverlapWorker(resolver, accessor)
    50  	}
    51  
    52  	// conditionally remove binary packages based on file ownership overlap relationships found
    53  	// https://github.com/anchore/syft/issues/931
    54  	if cfg.ExcludeBinaryPackagesWithFileOwnershipOverlap {
    55  		relationship.ExcludeBinariesByFileOwnershipOverlap(accessor)
    56  	}
    57  
    58  	// add the new relationships for executables to the SBOM
    59  	newBinaryRelationships := binary.NewDependencyRelationships(resolver, accessor)
    60  	accessor.WriteToSBOM(func(s *sbom.SBOM) {
    61  		s.Relationships = append(s.Relationships, newBinaryRelationships...)
    62  	})
    63  	builder.AddRelationships(newBinaryRelationships...)
    64  	// add source "contains package" relationship (source-to-package)
    65  	var sourceRelationships []artifact.Relationship
    66  	accessor.ReadFromSBOM(func(s *sbom.SBOM) {
    67  		sourceRelationships = relationship.ToSource(src, s.Artifacts.Packages)
    68  	})
    69  	builder.AddRelationships(sourceRelationships...)
    70  
    71  	// add evident-by relationships (package-to-file)
    72  	var evidentByRelationships []artifact.Relationship
    73  	accessor.ReadFromSBOM(func(s *sbom.SBOM) {
    74  		evidentByRelationships = relationship.EvidentBy(s.Artifacts.Packages)
    75  	})
    76  
    77  	builder.AddRelationships(evidentByRelationships...)
    78  }