github.com/noqcks/syft@v0.0.0-20230920222752-a9e2c4e288e5/syft/pkg/cataloger/githubactions/parse_composite_action.go

github.com/noqcks/syft@v0.0.0-20230920222752-a9e2c4e288e5/syft/pkg/cataloger/githubactions/parse_composite_action.go (about)

     1  package githubactions
     2  
     3  import (
     4  	"fmt"
     5  	"io"
     6  
     7  	"gopkg.in/yaml.v3"
     8  
     9  	"github.com/anchore/syft/syft/artifact"
    10  	"github.com/anchore/syft/syft/file"
    11  	"github.com/anchore/syft/syft/pkg"
    12  	"github.com/anchore/syft/syft/pkg/cataloger/generic"
    13  )
    14  
    15  var _ generic.Parser = parseCompositeActionForActionUsage
    16  
    17  type compositeActionDef struct {
    18  	Runs compositeActionRunsDef `yaml:"runs"`
    19  }
    20  
    21  type compositeActionRunsDef struct {
    22  	Steps []stepDef `yaml:"steps"`
    23  }
    24  
    25  func parseCompositeActionForActionUsage(_ file.Resolver, _ *generic.Environment, reader file.LocationReadCloser) ([]pkg.Package, []artifact.Relationship, error) {
    26  	contents, err := io.ReadAll(reader)
    27  	if err != nil {
    28  		return nil, nil, fmt.Errorf("unable to read yaml composite action file: %w", err)
    29  	}
    30  
    31  	var ca compositeActionDef
    32  	if err = yaml.Unmarshal(contents, &ca); err != nil {
    33  		return nil, nil, fmt.Errorf("unable to parse yaml composite action file: %w", err)
    34  	}
    35  
    36  	// we use a collection to help with deduplication before raising to higher level processing
    37  	pkgs := pkg.NewCollection()
    38  
    39  	for _, step := range ca.Runs.Steps {
    40  		if step.Uses == "" {
    41  			continue
    42  		}
    43  
    44  		p := newPackageFromUsageStatement(step.Uses, reader.Location)
    45  		if p != nil {
    46  			pkgs.Add(*p)
    47  		}
    48  	}
    49  
    50  	return pkgs.Sorted(), nil, nil
    51  }