github.com/anchore/syft@v1.4.2-0.20240516191711-1bec1fc5d397/syft/pkg/cataloger/githubactions/parse_composite_action.go

github.com/anchore/syft@v1.4.2-0.20240516191711-1bec1fc5d397/syft/pkg/cataloger/githubactions/parse_composite_action.go (about)

     1  package githubactions
     2  
     3  import (
     4  	"context"
     5  	"fmt"
     6  	"io"
     7  
     8  	"gopkg.in/yaml.v3"
     9  
    10  	"github.com/anchore/syft/syft/artifact"
    11  	"github.com/anchore/syft/syft/file"
    12  	"github.com/anchore/syft/syft/pkg"
    13  	"github.com/anchore/syft/syft/pkg/cataloger/generic"
    14  )
    15  
    16  var _ generic.Parser = parseCompositeActionForActionUsage
    17  
    18  type compositeActionDef struct {
    19  	Runs compositeActionRunsDef `yaml:"runs"`
    20  }
    21  
    22  type compositeActionRunsDef struct {
    23  	Steps []stepDef `yaml:"steps"`
    24  }
    25  
    26  func parseCompositeActionForActionUsage(_ context.Context, _ file.Resolver, _ *generic.Environment, reader file.LocationReadCloser) ([]pkg.Package, []artifact.Relationship, error) {
    27  	contents, err := io.ReadAll(reader)
    28  	if err != nil {
    29  		return nil, nil, fmt.Errorf("unable to read yaml composite action file: %w", err)
    30  	}
    31  
    32  	var ca compositeActionDef
    33  	if err = yaml.Unmarshal(contents, &ca); err != nil {
    34  		return nil, nil, fmt.Errorf("unable to parse yaml composite action file: %w", err)
    35  	}
    36  
    37  	// we use a collection to help with deduplication before raising to higher level processing
    38  	pkgs := pkg.NewCollection()
    39  
    40  	for _, step := range ca.Runs.Steps {
    41  		if step.Uses == "" {
    42  			continue
    43  		}
    44  
    45  		p := newPackageFromUsageStatement(step.Uses, reader.Location)
    46  		if p != nil {
    47  			pkgs.Add(*p)
    48  		}
    49  	}
    50  
    51  	return pkgs.Sorted(), nil, nil
    52  }