Skip to content

add pom.xml cataloger#1055

Merged
spiffcs merged 5 commits intoanchore:mainfrom
jonasagx:add-pom-xml-cataloger
Jun 22, 2022
Merged

add pom.xml cataloger#1055
spiffcs merged 5 commits intoanchore:mainfrom
jonasagx:add-pom-xml-cataloger

Conversation

@jonasagx
Copy link
Copy Markdown
Contributor

@jonasagx jonasagx commented Jun 21, 2022
edited
Loading

Add a parser to extract dependencies from pom.xml.

Dependencies have dependencies themselves that might not be listed in the original pom and will only appear after you run mvn install. These deps of deps won't be included in the final sbom.

Fix: #676

Signed-off-by: Jonas Xavier jonasx@anchore.com

@jonasagx
add pom.xml cataloger
0971379 
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
jonasagx
jonasagx commented Jun 21, 2022
View reviewed changes
Comment thread syft/pkg/cataloger/java/parse_pom_xml.go
Name: dep.ArtifactID,
Version: dep.Version,
Language: pkg.Java,
Type: pkg.JavaPkg, // TODO: should we differentiate between packages from jar/war/zip versus packages from a pom.xml that were not installed yet?
Copy link
Copy Markdown
Contributor Author

@jonasagx jonasagx Jun 21, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

pinning this comment ^

Copy link
Copy Markdown
Contributor

@spiffcs spiffcs Jun 21, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't have a good answer here and think it can go both ways cc @anchore/tools

Copy link
Copy Markdown
Contributor

@wagoodman wagoodman Jun 22, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the package type isn't meant to portray the installation status of the package (for instances we have two kinds of python catalogers, one that looks for installed packages and the other for declared packages... but they always return the same python package type)

@jonasagx
fix comments
aedab74 
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
@jonasagx jonasagx marked this pull request as ready for review June 21, 2022 17:55
@spiffcs
Copy link
Copy Markdown
Contributor

spiffcs commented Jun 21, 2022
edited
Loading

Nice Addition @jonasagx!

I noticed that there were no new files or updates under the integration folders for this feature.

Should we add a pom.xml or some complex pom project to our integration images to make sure we're able to do this detection outside of the context of .jar/.war/etc.?

@jonasagx
Copy link
Copy Markdown
Contributor Author

jonasagx commented Jun 21, 2022

yes @spiffcs good call, it will probably be another test because the current ones rely on .jar/.war/etc.

spiffcs added 3 commits June 22, 2022 12:16
@spiffcs
add failing integration test
00335a5 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@spiffcs
add coverage under java packages - image fails
e24741d 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@spiffcs
update java package tests to reflect image vs dir diff
55b0340 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@spiffcs spiffcs merged commit 1d14f22 into anchore:main Jun 22, 2022
spiffcs added a commit to jonasagx/syft that referenced this pull request Jun 27, 2022
@spiffcs
Merge branch 'main' into PR
55c1775 
* main: (70 commits)
  fix: add php catalogers to all catalogers (anchore#1065)
  feat: add use-all-catalogers flag (anchore#1050)
  Updates parsing of `yarn.lock` to use `resolved` URLs that are pulled from yarn and npm registries (anchore#926)
  remove OSS Meetup message (anchore#1057)
  add pom.xml cataloger (anchore#1055)
  Add support for CBL-Mariner distroless images (anchore#1045)
  Add catalogers configuration (anchore#1038)
  add template output (anchore#1051)
  update stereoscope to latest version (anchore#1052)
  update zip_read_closer to incorporate zip64 support (anchore#1041)
  Add pacman (alpm) parser support (anchore#943)
  Update of README.md (anchore#1027)
  bump cosign to v1.9.0 to resolve reporting of GHSA-66x3-6cw3-v5gj (anchore#1025)
  add workflows to test new project automation (anchore#1023)
  improve LanguageByName and add unit tests (anchore#1034)
  Read Description from dpkg status files (anchore#996)
  Add announcement for Anchore OSS Virtual Meetup (anchore#1033)
  add main module field to go bin metadata (anchore#1026)
  Add filters to package cataloger (anchore#1021)
  change draft to false for release process (anchore#1016)
  ...

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@vtky vtky mentioned this pull request Jun 29, 2022
Closed
aiwantaozi pushed a commit to aiwantaozi/syft that referenced this pull request Oct 20, 2022
@jonasagx @spiffcs @aiwantaozi
add pom.xml cataloger (anchore#1055)
30a5ce9 
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
GijsCalis pushed a commit to GijsCalis/syft that referenced this pull request Feb 19, 2024
@jonasagx @spiffcs
add pom.xml cataloger (anchore#1055)
061b1d2 
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@spiffcs spiffcs spiffcs left review comments

@wagoodman wagoodman wagoodman approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Catalog packages from source pom.xml during directory scans

3 participants

@jonasagx @spiffcs @wagoodman