feat: Add the origin field to the output format of syftjson#1327
feat: Add the origin field to the output format of syftjson#1327wagoodman merged 5 commits intoanchore:mainfrom TupleType:main
Conversation
There was a problem hiding this comment.
Thanks for the contribution @asi-cider! It looks like this Origin field is specific to NPM packages and as such should not be added to the main pkg.Package but rather the appropriate metadata type. In this case we probably need a new metadata type, something like PackageLockPackageMetadata, which is set when creating the package, which contains the Origin field. An example metadata type is here.
I think this change would also reduce some of the conflicts, as it stands there are a number of conflicts to resolve if you are able to.
Hey @kzantow, thanks for the response. This field exists in some form or another in all kinds of lock files. Currently I've add this for npm and pipfile but I intend to add this for more ecosystems. Do you still think it should be added as metadata field? |
|
@asi-cider I agree with @kzantow on this one. Though there are some similarities between different package managers on this field, at this time I think keeping this kind of field in the |
Sure i'll add that in |
|
Hey @kzantow and @wagoodman, |
|
Hey @kzantow, Could you guide me on how to fix the unit tests? |
|
Hey @kzantow @wagoodman, could you please help? |
|
@asi-cider I'll have a look today, but there's a conflict that needs to be dealt with -- are you able to merge the latest |
|
I can help out with the git conflicts and other updates |
Signed-off-by: Asaf Greenholts <asaf@cidersecurity.io>
Signed-off-by: Asaf Greenholts <asaf@cidersecurity.io>
Signed-off-by: Asaf Greenholts <asaf@cidersecurity.io>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
|
I rebased on main and made the following changes:
|
wagoodman
left a comment
wagoodman
left a comment
There was a problem hiding this comment.
Thanks for the improvements @asi-cider !
…1327) * moved the relevant fields to the Metadata field Signed-off-by: Asaf Greenholts <asaf@cidersecurity.io> * added metadata types Signed-off-by: Asaf Greenholts <asaf@cidersecurity.io> * Added hashes to metadata of packge-lock.json and Pipfile.lock Signed-off-by: Asaf Greenholts <asaf@cidersecurity.io> * move package metadata types to "pkg" package Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * re-generate json schema to include new npm, python, and binary metadatas Signed-off-by: Alex Goodman <alex.goodman@anchore.com> Signed-off-by: Asaf Greenholts <asaf@cidersecurity.io> Signed-off-by: Alex Goodman <alex.goodman@anchore.com> Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
3 participants
This PR adds the origin field to the output format of syftjson when parsing “package-lock.json” or “Pipfile.lock”. The origin field can be useful in tracking the origin of downloaded packages in case of a security incident. The origin field contains the URL used to download an artifact according to the appropriate lock file. For example, package-lock.json has the resolved field to indicate the url used to download the package.
I wasn’t able to find a way to update the golden files of the integration tests similarly to the argument in the unit test’s golden files. Could you please guide me on how to update them?
Changes to the golden files were done using the appropriate parameters of the test files.