Skip to content

Commit 058235e

Browse files
abhisekabhisek
committed
feat: Add support for jar scanning
refactor: Parser target resolver to re-use from lockfile and directory reader feat: Add support for scope based parse target resolution refactor: Dir reader to use config struct test: Fix directory reader tests refactor: Rename parser utils to resolver
1 parent 78af01e commit 058235e

File tree

14 files changed

+1477
-54
lines changed

14 files changed

+1477
-54
lines changed

README.md

Lines changed: 12 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -91,25 +91,31 @@ vet scan -D /path/to/repository
9191
- Run `vet` to scan specific (supported) package manifests
9292

9393
```bash
94-
vet scan --lockfiles /path/to/pom.xml
95-
vet scan --lockfiles /path/to/requirements.txt
96-
vet scan --lockfiles /path/to/package-lock.json
94+
vet scan -M /path/to/pom.xml
95+
vet scan -M /path/to/requirements.txt
96+
vet scan -M /path/to/package-lock.json
9797
```
9898

99+
**Note:** `--lockfiles` is generalized to `-M` or `--manifests` to support additional
100+
types of package manifests or other artifacts in future.
101+
99102
#### Scanning SBOM
100103

101104
- Scan an SBOM in [CycloneDX](https://cyclonedx.org/) format
102105

103106
```bash
104-
vet scan --lockfiles /path/to/cyclonedx-sbom.json --lockfile-as bom-cyclonedx
107+
vet scan -M /path/to/cyclonedx-sbom.json --type bom-cyclonedx
105108
```
106109

107110
- Scan an SBOM in [SPDX](https://spdx.dev/) format
108111

109112
```bash
110-
vet scan --lockfiles /path/to/spdx-sbom.json --lockfile-as bom-spdx
113+
vet scan -M /path/to/spdx-sbom.json --type bom-spdx
111114
```
112115

116+
**Note:** `--type` is a generalized version of `--lockfile-as` to support additional
117+
artifact types in future.
118+
113119
> **Note:** SBOM scanning feature is currently in experimental stage
114120
115121
#### Scanning Github Repositories
@@ -265,6 +271,7 @@ Refer to [CONTRIBUTING.md](CONTRIBUTING.md)
265271
## 🔖 References
266272

267273
- https://github.com/google/osv-scanner
274+
- https://github.com/anchore/syft
268275
- https://deps.dev/
269276
- https://securityscorecards.dev/
270277
- https://slsa.dev/

go.mod

Lines changed: 82 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@ go 1.22.1
55
require (
66
github.com/AlecAivazis/survey/v2 v2.3.7
77
github.com/CycloneDX/cyclonedx-go v0.9.0
8+
github.com/anchore/syft v1.11.1
89
github.com/cayleygraph/cayley v0.7.7-0.20240706181042-81dcd7d73e45
910
github.com/cayleygraph/quad v1.3.0
1011
github.com/cli/oauth v1.0.1
@@ -15,18 +16,18 @@ require (
1516
github.com/golang/protobuf v1.5.4
1617
github.com/google/cel-go v0.21.0
1718
github.com/google/go-github/v54 v54.0.0
18-
github.com/google/osv-scanner v1.8.3
19+
github.com/google/osv-scanner v1.8.4
1920
github.com/jedib0t/go-pretty/v6 v6.5.9
2021
github.com/kubescape/go-git-url v0.0.30
2122
github.com/owenrumney/go-sarif/v2 v2.3.3
2223
github.com/package-url/packageurl-go v0.1.3
2324
github.com/safedep/dry v0.0.0-20240808054916-b31bac30d0ef
2425
github.com/sirupsen/logrus v1.9.3
25-
github.com/smacker/go-tree-sitter v0.0.0-20240625050157-a31a98a7c0f6
26+
github.com/smacker/go-tree-sitter v0.0.0-20240827094217-dd81d9e9be82
2627
github.com/spdx/tools-golang v0.5.5
2728
github.com/spf13/cobra v1.8.1
2829
github.com/stretchr/testify v1.9.0
29-
golang.org/x/oauth2 v0.22.0
30+
golang.org/x/oauth2 v0.23.0
3031
google.golang.org/protobuf v1.34.2
3132
gopkg.in/yaml.v2 v2.4.0
3233
)
@@ -39,49 +40,79 @@ require (
3940
github.com/CloudyKit/jet/v6 v6.2.0 // indirect
4041
github.com/DataDog/datadog-go v4.8.3+incompatible // indirect
4142
github.com/Joker/jade v1.1.3 // indirect
42-
github.com/Masterminds/semver/v3 v3.2.1 // indirect
43+
github.com/Masterminds/semver/v3 v3.3.0 // indirect
4344
github.com/Microsoft/go-winio v0.6.2 // indirect
4445
github.com/ProtonMail/go-crypto v1.0.0 // indirect
4546
github.com/Shopify/goreferrer v0.0.0-20240724165105-aceaa0259138 // indirect
47+
github.com/acobaugh/osrelease v0.1.0 // indirect
48+
github.com/adrg/xdg v0.5.0 // indirect
4649
github.com/afex/hystrix-go v0.0.0-20180502004556-fa1af6a1f4f5 // indirect
50+
github.com/anchore/clio v0.0.0-20240806233806-4c50c054c508 // indirect
51+
github.com/anchore/fangs v0.0.0-20240904151251-ac0148f53e5d // indirect
52+
github.com/anchore/go-logger v0.0.0-20240217160628-ee28a485904f // indirect
53+
github.com/anchore/go-macholibre v0.0.0-20240116161251-5df1434a0b50 // indirect
4754
github.com/anchore/go-struct-converter v0.0.0-20230627203149-c72ef8859ca9 // indirect
55+
github.com/anchore/packageurl-go v0.1.1-0.20240507183024-848e011fc24f // indirect
56+
github.com/anchore/stereoscope v0.0.3 // indirect
4857
github.com/andybalholm/brotli v1.1.0 // indirect
4958
github.com/antlr4-go/antlr/v4 v4.13.1 // indirect
5059
github.com/apapsch/go-jsonmerge/v2 v2.0.0 // indirect
5160
github.com/aymerick/douceur v0.2.0 // indirect
61+
github.com/becheran/wildmatch-go v1.0.0 // indirect
5262
github.com/beorn7/perks v1.0.1 // indirect
63+
github.com/bmatcuk/doublestar/v4 v4.6.1 // indirect
5364
github.com/boltdb/bolt v1.3.1 // indirect
54-
github.com/bytedance/sonic v1.12.1 // indirect
65+
github.com/bytedance/sonic v1.12.2 // indirect
5566
github.com/bytedance/sonic/loader v0.2.0 // indirect
5667
github.com/cactus/go-statsd-client/statsd v0.0.0-20200423205355-cb0885a1018c // indirect
5768
github.com/cespare/xxhash/v2 v2.3.0 // indirect
5869
github.com/chainguard-dev/git-urls v1.0.2 // indirect
59-
github.com/cloudflare/circl v1.3.9 // indirect
70+
github.com/cloudflare/circl v1.4.0 // indirect
6071
github.com/cloudwego/base64x v0.1.4 // indirect
6172
github.com/cloudwego/iasm v0.2.0 // indirect
73+
github.com/containerd/containerd v1.7.21 // indirect
74+
github.com/containerd/errdefs v0.1.0 // indirect
6275
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
6376
github.com/dlclark/regexp2 v1.11.4 // indirect
64-
github.com/dop251/goja v0.0.0-20240806095544-3491d4a58fbe // indirect
77+
github.com/docker/cli v27.2.0+incompatible // indirect
78+
github.com/docker/docker-credential-helpers v0.8.2 // indirect
79+
github.com/docker/go-connections v0.5.0 // indirect
80+
github.com/dop251/goja v0.0.0-20240828124009-016eb7256539 // indirect
81+
github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5 // indirect
82+
github.com/facebookincubator/nvdtools v0.1.5 // indirect
6583
github.com/fatih/structs v1.1.0 // indirect
84+
github.com/felixge/fgprof v0.9.5 // indirect
6685
github.com/flosch/pongo2/v4 v4.0.2 // indirect
86+
github.com/fsnotify/fsnotify v1.7.0 // indirect
6787
github.com/gabriel-vasile/mimetype v1.4.5 // indirect
6888
github.com/gin-contrib/sse v0.1.0 // indirect
6989
github.com/gin-gonic/gin v1.10.0 // indirect
90+
github.com/github/go-spdx/v2 v2.3.1 // indirect
7091
github.com/go-playground/locales v0.14.1 // indirect
7192
github.com/go-playground/universal-translator v0.18.1 // indirect
7293
github.com/go-playground/validator/v10 v10.22.0 // indirect
94+
github.com/go-restruct/restruct v1.2.0-alpha // indirect
7395
github.com/go-sourcemap/sourcemap v2.1.4+incompatible // indirect
7496
github.com/goccy/go-json v0.10.3 // indirect
7597
github.com/gojek/valkyrie v0.0.0-20190210220504-8f62c1e7ba45 // indirect
7698
github.com/golang/snappy v0.0.4 // indirect
7799
github.com/gomarkdown/markdown v0.0.0-20240730141124-034f12af3bf6 // indirect
100+
github.com/google/go-cmp v0.6.0 // indirect
101+
github.com/google/go-containerregistry v0.20.2 // indirect
78102
github.com/google/go-querystring v1.1.0 // indirect
79-
github.com/google/pprof v0.0.0-20240727154555-813a5fbdbec8 // indirect
103+
github.com/google/licensecheck v0.3.1 // indirect
104+
github.com/google/pprof v0.0.0-20240903155634-a8630aee4ab9 // indirect
80105
github.com/google/uuid v1.6.0 // indirect
106+
github.com/gookit/color v1.5.4 // indirect
81107
github.com/gorilla/css v1.0.1 // indirect
108+
github.com/hashicorp/errwrap v1.1.0 // indirect
109+
github.com/hashicorp/go-multierror v1.1.1 // indirect
110+
github.com/hashicorp/hcl v1.0.0 // indirect
82111
github.com/hidal-go/hidalgo v0.3.0 // indirect
112+
github.com/iancoleman/strcase v0.3.0 // indirect
83113
github.com/inconshreveable/mousetrap v1.1.0 // indirect
84114
github.com/iris-contrib/schema v0.0.6 // indirect
115+
github.com/jinzhu/copier v0.4.0 // indirect
85116
github.com/josharian/intern v1.0.0 // indirect
86117
github.com/json-iterator/go v1.1.12 // indirect
87118
github.com/kataras/blocks v0.0.8 // indirect
@@ -93,63 +124,92 @@ require (
93124
github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
94125
github.com/klauspost/compress v1.17.9 // indirect
95126
github.com/klauspost/cpuid/v2 v2.2.8 // indirect
127+
github.com/klauspost/pgzip v1.2.6 // indirect
96128
github.com/labstack/echo/v4 v4.12.0 // indirect
97129
github.com/labstack/gommon v0.4.2 // indirect
98130
github.com/leodido/go-urn v1.4.0 // indirect
131+
github.com/magiconair/properties v1.8.7 // indirect
99132
github.com/mailgun/raymond/v2 v2.0.48 // indirect
100133
github.com/mailru/easyjson v0.7.7 // indirect
101134
github.com/mattn/go-colorable v0.1.13 // indirect
102135
github.com/mattn/go-isatty v0.0.20 // indirect
103136
github.com/mattn/go-runewidth v0.0.16 // indirect
104137
github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect
138+
github.com/mholt/archiver/v3 v3.5.1 // indirect
105139
github.com/microcosm-cc/bluemonday v1.0.27 // indirect
140+
github.com/mitchellh/go-homedir v1.1.0 // indirect
141+
github.com/mitchellh/hashstructure/v2 v2.0.2 // indirect
106142
github.com/mitchellh/mapstructure v1.5.0 // indirect
143+
github.com/moby/sys/mountinfo v0.7.2 // indirect
107144
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
108145
github.com/modern-go/reflect2 v1.0.2 // indirect
109146
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
147+
github.com/nwaples/rardecode v1.1.3 // indirect
110148
github.com/oklog/ulid/v2 v2.1.0 // indirect
111-
github.com/pelletier/go-toml/v2 v2.2.2 // indirect
149+
github.com/opencontainers/go-digest v1.0.0 // indirect
150+
github.com/pborman/indent v1.2.1 // indirect
151+
github.com/pelletier/go-toml/v2 v2.2.3 // indirect
152+
github.com/pierrec/lz4/v4 v4.1.21 // indirect
112153
github.com/piprate/json-gold v0.5.0 // indirect
113154
github.com/pkg/errors v0.9.1 // indirect
155+
github.com/pkg/profile v1.7.0 // indirect
114156
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
115157
github.com/pquerna/cachecontrol v0.2.0 // indirect
116-
github.com/prometheus/client_golang v1.19.1 // indirect
158+
github.com/prometheus/client_golang v1.20.3 // indirect
117159
github.com/prometheus/client_model v0.6.1 // indirect
118-
github.com/prometheus/common v0.55.0 // indirect
160+
github.com/prometheus/common v0.59.1 // indirect
119161
github.com/prometheus/procfs v0.15.1 // indirect
120162
github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect
121163
github.com/rivo/uniseg v0.4.7 // indirect
122164
github.com/russross/blackfriday/v2 v2.1.0 // indirect
165+
github.com/sagikazarmark/locafero v0.6.0 // indirect
166+
github.com/sagikazarmark/slog-shim v0.1.0 // indirect
167+
github.com/saintfish/chardet v0.0.0-20230101081208-5e3ef4b5456d // indirect
123168
github.com/schollz/closestmatch v2.1.0+incompatible // indirect
169+
github.com/scylladb/go-set v1.0.3-0.20200225121959-cc7b2070d91e // indirect
170+
github.com/sourcegraph/conc v0.3.0 // indirect
171+
github.com/spf13/afero v1.11.0 // indirect
172+
github.com/spf13/cast v1.7.0 // indirect
124173
github.com/spf13/pflag v1.0.5 // indirect
174+
github.com/spf13/viper v1.19.0 // indirect
125175
github.com/stoewer/go-strcase v1.3.0 // indirect
126176
github.com/stretchr/objx v0.5.2 // indirect
177+
github.com/subosito/gotenv v1.6.0 // indirect
178+
github.com/sylabs/squashfs v1.0.0 // indirect
127179
github.com/tdewolff/minify/v2 v2.20.37 // indirect
128180
github.com/tdewolff/parse/v2 v2.7.15 // indirect
181+
github.com/therootcompany/xz v1.0.1 // indirect
129182
github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
130183
github.com/tylertreat/BoomFilters v0.0.0-20210315201527-1a82519a3e43 // indirect
131184
github.com/ugorji/go/codec v1.2.12 // indirect
185+
github.com/ulikunitz/xz v0.5.12 // indirect
132186
github.com/valyala/bytebufferpool v1.0.0 // indirect
133187
github.com/valyala/fasttemplate v1.2.2 // indirect
188+
github.com/vifraa/gopom v1.0.0 // indirect
134189
github.com/vmihailenco/msgpack/v5 v5.4.1 // indirect
135190
github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect
191+
github.com/wagoodman/go-partybus v0.0.0-20230516145632-8ccac152c651 // indirect
192+
github.com/wagoodman/go-progress v0.0.0-20230925121702-07e42b3cdba0 // indirect
193+
github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 // indirect
194+
github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
136195
github.com/yosssi/ace v0.0.5 // indirect
137196
go.uber.org/multierr v1.11.0 // indirect
138197
go.uber.org/zap v1.27.0 // indirect
139-
golang.org/x/arch v0.9.0 // indirect
140-
golang.org/x/crypto v0.26.0 // indirect
141-
golang.org/x/exp v0.0.0-20240808152545-0cdaa3abc0fa // indirect
142-
golang.org/x/mod v0.20.0 // indirect
143-
golang.org/x/net v0.28.0 // indirect
144-
golang.org/x/sys v0.24.0 // indirect
145-
golang.org/x/term v0.23.0 // indirect
146-
golang.org/x/text v0.17.0 // indirect
198+
golang.org/x/arch v0.10.0 // indirect
199+
golang.org/x/crypto v0.27.0 // indirect
200+
golang.org/x/exp v0.0.0-20240904232852-e7e105dedf7e // indirect
201+
golang.org/x/mod v0.21.0 // indirect
202+
golang.org/x/net v0.29.0 // indirect
203+
golang.org/x/sys v0.25.0 // indirect
204+
golang.org/x/term v0.24.0 // indirect
205+
golang.org/x/text v0.18.0 // indirect
147206
golang.org/x/time v0.6.0 // indirect
148-
google.golang.org/genproto/googleapis/api v0.0.0-20240812133136-8ffd90a71988 // indirect
149-
google.golang.org/genproto/googleapis/rpc v0.0.0-20240812133136-8ffd90a71988 // indirect
207+
google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 // indirect
208+
google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 // indirect
209+
google.golang.org/grpc v1.66.0 // indirect
150210
gopkg.in/ini.v1 v1.67.0 // indirect
151211
gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
152212
gopkg.in/yaml.v3 v3.0.1 // indirect
153-
k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 // indirect
213+
k8s.io/utils v0.0.0-20240902221715-702e33fdd3c3 // indirect
154214
sigs.k8s.io/yaml v1.4.0 // indirect
155215
)

0 commit comments

Comments
 (0)