github.com/lineaje-labs/syft@v0.98.1-0.20231227153149-9e393f60ff1b/syft/lib.go (about) 1 /* 2 Package syft is a "one-stop-shop" for helper utilities for all major functionality provided by child packages of the syft library. 3 4 Here is what the main execution path for syft does: 5 6 1. Parse a user image string to get a stereoscope image.Source object 7 2. Invoke all catalogers to catalog the image, adding discovered packages to a single catalog object 8 3. Invoke one or more encoders to output contents of the catalog 9 10 A Source object encapsulates the image object to be cataloged and the user options (catalog all layers vs. squashed layer), 11 providing a way to inspect paths and file content within the image. The Source object, not the image object, is used 12 throughout the main execution path. This abstraction allows for decoupling of what is cataloged (a docker image, an OCI 13 image, a filesystem, etc) and how it is cataloged (the individual catalogers). 14 15 Similar to the cataloging process, Linux distribution identification is also performed based on what is discovered within the image. 16 */ 17 package syft 18 19 import ( 20 "fmt" 21 22 "github.com/wagoodman/go-partybus" 23 24 "github.com/anchore/go-logger" 25 "github.com/anchore/syft/syft/artifact" 26 "github.com/anchore/syft/syft/linux" 27 "github.com/anchore/syft/syft/pkg" 28 "github.com/anchore/syft/syft/pkg/cataloger" 29 "github.com/anchore/syft/syft/source" 30 "github.com/lineaje-labs/syft/internal/bus" 31 "github.com/lineaje-labs/syft/internal/log" 32 ) 33 34 // CatalogPackages takes an inventory of packages from the given image from a particular perspective 35 // (e.g. squashed source, all-layers source). Returns the discovered set of packages, the identified Linux 36 // distribution, and the source object used to wrap the data source. 37 func CatalogPackages( 38 src source.Source, cfg cataloger.Config, 39 ) (*pkg.Collection, []artifact.Relationship, *linux.Release, error) { 40 resolver, err := src.FileResolver(cfg.Search.Scope) 41 if err != nil { 42 return nil, nil, nil, fmt.Errorf("unable to determine resolver while cataloging packages: %w", err) 43 } 44 45 // find the distro 46 release := linux.IdentifyRelease(resolver) 47 if release != nil { 48 log.Infof("identified distro: %s", release.String()) 49 } else { 50 log.Info("could not identify distro") 51 } 52 53 // if the catalogers have been configured, use them regardless of input type 54 var catalogers []pkg.Cataloger 55 if len(cfg.Catalogers) > 0 { 56 catalogers = cataloger.AllCatalogers(cfg) 57 } else { 58 // otherwise conditionally use the correct set of loggers based on the input type (container image or directory) 59 60 // TODO: this is bad, we should not be using the concrete type to determine the cataloger set 61 // instead this should be a caller concern (pass the catalogers you want to use). The SBOM build PR will do this. 62 switch src.(type) { 63 case *source.StereoscopeImageSource: 64 log.Info("cataloging an image") 65 catalogers = cataloger.ImageCatalogers(cfg) 66 case *source.FileSource: 67 log.Info("cataloging a file") 68 catalogers = cataloger.AllCatalogers(cfg) 69 case *source.DirectorySource: 70 log.Info("cataloging a directory") 71 catalogers = cataloger.DirectoryCatalogers(cfg) 72 default: 73 return nil, nil, nil, fmt.Errorf("unsupported source type: %T", src) 74 } 75 } 76 77 catalog, relationships, err := cataloger.Catalog(resolver, release, cfg.Parallelism, catalogers...) 78 79 // apply exclusions to the package catalog 80 // default config value for this is true 81 // https://github.com/anchore/syft/issues/931 82 if cfg.ExcludeBinaryOverlapByOwnership { 83 for _, r := range relationships { 84 if cataloger.ExcludeBinaryByFileOwnershipOverlap(r, catalog) { 85 catalog.Delete(r.To.ID()) 86 relationships = removeRelationshipsByID(relationships, r.To.ID()) 87 } 88 } 89 } 90 91 // no need to consider source relationships for os -> binary exclusions 92 relationships = append(relationships, newSourceRelationshipsFromCatalog(src, catalog)...) 93 return catalog, relationships, release, err 94 } 95 96 func removeRelationshipsByID(relationships []artifact.Relationship, id artifact.ID) []artifact.Relationship { 97 var filtered []artifact.Relationship 98 for _, r := range relationships { 99 if r.To.ID() != id && r.From.ID() != id { 100 filtered = append(filtered, r) 101 } 102 } 103 return filtered 104 } 105 106 func newSourceRelationshipsFromCatalog(src source.Source, c *pkg.Collection) []artifact.Relationship { 107 relationships := make([]artifact.Relationship, 0) // Should we pre-allocate this by giving catalog a Len() method? 108 for p := range c.Enumerate() { 109 relationships = append(relationships, artifact.Relationship{ 110 From: src, 111 To: p, 112 Type: artifact.ContainsRelationship, 113 }) 114 } 115 116 return relationships 117 } 118 119 // SetLogger sets the logger object used for all syft logging calls. 120 func SetLogger(logger logger.Logger) { 121 log.Set(logger) 122 } 123 124 // SetBus sets the event bus for all syft library bus publish events onto (in-library subscriptions are not allowed). 125 func SetBus(b *partybus.Bus) { 126 bus.Set(b) 127 }