github.com/anchore/syft@v1.38.2/syft/pkg/cataloger/githubactions/parse_composite_action.go (about) 1 package githubactions 2 3 import ( 4 "context" 5 "fmt" 6 "io" 7 8 "go.yaml.in/yaml/v3" 9 10 "github.com/anchore/syft/internal/unknown" 11 "github.com/anchore/syft/syft/artifact" 12 "github.com/anchore/syft/syft/file" 13 "github.com/anchore/syft/syft/pkg" 14 "github.com/anchore/syft/syft/pkg/cataloger/generic" 15 ) 16 17 var _ generic.Parser = parseCompositeActionForActionUsage 18 19 type compositeActionDef struct { 20 Runs compositeActionRunsDef `yaml:"runs"` 21 } 22 23 type compositeActionRunsDef struct { 24 Steps []stepDef `yaml:"steps"` 25 } 26 27 func parseCompositeActionForActionUsage(_ context.Context, _ file.Resolver, _ *generic.Environment, reader file.LocationReadCloser) ([]pkg.Package, []artifact.Relationship, error) { 28 contents, errs := io.ReadAll(reader) 29 if errs != nil { 30 return nil, nil, fmt.Errorf("unable to read yaml composite action file: %w", errs) 31 } 32 33 var ca compositeActionDef 34 if errs = yaml.Unmarshal(contents, &ca); errs != nil { 35 return nil, nil, fmt.Errorf("unable to parse yaml composite action file: %w", errs) 36 } 37 38 // we use a collection to help with deduplication before raising to higher level processing 39 pkgs := pkg.NewCollection() 40 41 for _, step := range ca.Runs.Steps { 42 if step.Uses == "" { 43 continue 44 } 45 46 p, err := newPackageFromUsageStatement(step.Uses, step.UsesComment, reader.Location) 47 if err != nil { 48 errs = unknown.Append(errs, reader, err) 49 } 50 if p != nil { 51 pkgs.Add(*p) 52 } 53 } 54 55 return pkgs.Sorted(), nil, errs 56 }