Option to enable specific language or ecosystem cataloger

[ramanan-ravi]

Fixes #840

If user knows the languages / ecosystem in the image or file system being scanned, user can run syft to generate sbom only for those specific languages / ecosystem.

Example command to enable a language or ecosystem cataloger

syft packages alpine:latest --enable-cataloger apkdb-cataloger

[kzantow]

This is looking pretty good, at first glance. I'll review more thoroughly later today. Note you'll need to sign-off and sign the commits: https://github.com/anchore/syft/blob/main/CONTRIBUTING.md#contributing-to-syft

[wagoodman]

nit: mentioning that all catalogers are enabled by default is a little misleading. There is still a selection of which catalogers to use based off of the source (dir scan or image scan)

[wagoodman]

nit: since this takes multiple values it should probably be enable-catalogers

[wagoodman]

this could probably just be catalogers on the cli.

[kzantow]

I was thinking the same thing here 👍

[wagoodman]

we could add additional logic such that the string -cataloger is optional on each user-specified name, to be nicer to the user.

[wagoodman]

Open question: in the near future we will be deprecating the packages subcommand and instead suggesting for folks to use the root command. Why is this important? With this switch is also signaling the ability to leverage non-package catalogers, found here: https://github.com/anchore/syft/tree/main/syft/file .

I feel that this work should also consider how that should work (either in this PR or in a future state)

[houdini91]

Hi guys.
I was trying to understand the difference between the groups of catalogers that are assigned by default to images vs directories
I am not sure i understand the difference between the two defined groups ("installation" vs "index") , can anyone clarify this a bit for me?

• Should these group be configurable as well as apposed as hard coding the cataloger group by scheme?
  Of curse this suggestion is in some sense redundant because this PR will allow a full cataloger specific customization as well.

[houdini91]

Hi people.
Added a commit to fix the cataloger naming comment,
I pushed a PR on the deepfence:main from my fork (should i pushed somewhere else?).

deepfence#1

[houdini91]

Update:
I opened a new PR - https://github.com/anchore/syft/pull/888/files
I apologize, but i wanted to rebase against the main and add a small --cataloger-group feature suggestion.

[wagoodman]

Hey! 👋 I tried to push a few updates to the PR branch without success:

$ git push origin HEAD:refs/pull/843/head

Enumerating objects: 238, done.
Counting objects: 100% (165/165), done.
Delta compression using up to 12 threads
Compressing objects: 100% (93/93), done.
Writing objects: 100% (95/95), 16.42 KiB | 840.00 KiB/s, done.
Total 95 (delta 73), reused 0 (delta 0), pack-reused 0
remote: Resolving deltas: 100% (73/73), completed with 36 local objects.
To github.com:anchore/syft.git
 ! [remote rejected]   HEAD -> refs/pull/843/head (deny updating a hidden ref)
error: failed to push some refs to 'github.com:anchore/syft.git'

Same story with a force push... I'm going to get this pulled into a in-repo branch to that I can apply some updates. See the new PR here: #1038