Merge remote-tracking branch 'upstream/main' into chore/refactor-mave…

…n-resolver

.binny.yaml

@@ -103,7 +103,7 @@ tools:
   # used for running all local and CI tasks
   - name: task
     version:
-      want: v3.39.1
+      want: v3.39.2
     method: github-release
     with:
       repo: go-task/task

.github/workflows/codeql-analysis.yml

@@ -45,7 +45,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@8214744c546c1e5c8f03dde8fab3a7353211988d #v3.26.7
+      uses: github/codeql-action/init@294a9d92911152fe08befb9ec03e240add280cb3 #v3.26.8
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -56,7 +56,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@8214744c546c1e5c8f03dde8fab3a7353211988d #v3.26.7
+      uses: github/codeql-action/autobuild@294a9d92911152fe08befb9ec03e240add280cb3 #v3.26.8
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -70,4 +70,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@8214744c546c1e5c8f03dde8fab3a7353211988d #v3.26.7
+      uses: github/codeql-action/analyze@294a9d92911152fe08befb9ec03e240add280cb3 #v3.26.8

.github/workflows/update-bootstrap-tools.yml

@@ -49,7 +49,7 @@ jobs:
           app_id: ${{ secrets.TOKEN_APP_ID }}
           private_key: ${{ secrets.TOKEN_APP_PRIVATE_KEY }}
 
-      - uses: peter-evans/create-pull-request@6cd32fd93684475c31847837f87bb135d40a2b79 #v7.0.3
+      - uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f #v7.0.5
         with:
           signoff: true
           delete-branch: true

.github/workflows/update-cpe-dictionary-index.yml

@@ -33,7 +33,7 @@ jobs:
           app_id: ${{ secrets.TOKEN_APP_ID }}
           private_key: ${{ secrets.TOKEN_APP_PRIVATE_KEY }}
 
-      - uses: peter-evans/create-pull-request@6cd32fd93684475c31847837f87bb135d40a2b79 #v7.0.3
+      - uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f #v7.0.5
         with:
           signoff: true
           delete-branch: true

.github/workflows/update-stereoscope-release.yml

@@ -44,7 +44,7 @@ jobs:
           app_id: ${{ secrets.TOKEN_APP_ID }}
           private_key: ${{ secrets.TOKEN_APP_PRIVATE_KEY }}
 
-      - uses: peter-evans/create-pull-request@6cd32fd93684475c31847837f87bb135d40a2b79 #v7.0.3
+      - uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f #v7.0.5
         with:
           signoff: true
           delete-branch: true

cmd/syft/internal/options/catalog.go

@@ -37,6 +37,7 @@ type Catalog struct {
 	Scope             string              `yaml:"scope" json:"scope" mapstructure:"scope"`
 	Parallelism       int                 `yaml:"parallelism" json:"parallelism" mapstructure:"parallelism"` // the number of catalog workers to run in parallel
 	Relationships     relationshipsConfig `yaml:"relationships" json:"relationships" mapstructure:"relationships"`
+	Compliance        complianceConfig    `yaml:"compliance" json:"compliance" mapstructure:"compliance"`
 	Enrich            []string            `yaml:"enrich" json:"enrich" mapstructure:"enrich"`
 
 	// ecosystem-specific cataloger configuration
@@ -62,6 +63,7 @@ var _ interface {
 
 func DefaultCatalog() Catalog {
 	return Catalog{
+		Compliance:    defaultComplianceConfig(),
 		Scope:         source.SquashedScope.String(),
 		Package:       defaultPackageConfig(),
 		LinuxKernel:   defaultLinuxKernelConfig(),
@@ -79,6 +81,7 @@ func (cfg Catalog) ToSBOMConfig(id clio.Identification) *syft.CreateSBOMConfig {
 		WithTool(id.Name, id.Version).
 		WithParallelism(cfg.Parallelism).
 		WithRelationshipsConfig(cfg.ToRelationshipsConfig()).
+		WithComplianceConfig(cfg.ToComplianceConfig()).
 		WithSearchConfig(cfg.ToSearchConfig()).
 		WithPackagesConfig(cfg.ToPackagesConfig()).
 		WithFilesConfig(cfg.ToFilesConfig()).
@@ -104,6 +107,13 @@ func (cfg Catalog) ToRelationshipsConfig() cataloging.RelationshipsConfig {
 	}
 }
 
+func (cfg Catalog) ToComplianceConfig() cataloging.ComplianceConfig {
+	return cataloging.ComplianceConfig{
+		MissingName:    cfg.Compliance.MissingName,
+		MissingVersion: cfg.Compliance.MissingVersion,
+	}
+}
+
 func (cfg Catalog) ToFilesConfig() filecataloging.Config {
 	hashers, err := intFile.Hashers(cfg.File.Metadata.Digests...)
 	if err != nil {
@@ -239,6 +249,11 @@ func (cfg *Catalog) PostLoad() error {
 		return fmt.Errorf("bad scope value %q", cfg.Scope)
 	}
 
+	// the binary package exclusion code depends on the file overlap relationships being created upstream in processing
+	if !cfg.Relationships.PackageFileOwnershipOverlap && cfg.Package.ExcludeBinaryOverlapByOwnership {
+		return fmt.Errorf("cannot enable exclude-binary-overlap-by-ownership without enabling package-file-ownership-overlap")
+	}
+
 	return nil
 }
 

cmd/syft/internal/options/catalog_test.go

@@ -57,6 +57,14 @@ func TestCatalog_PostLoad(t *testing.T) {
 				assert.Empty(t, options.Catalogers)
 			},
 		},
+		{
+			name: "must have package overlap flag when pruning binaries by overlap",
+			options: Catalog{
+				Package:       packageConfig{ExcludeBinaryOverlapByOwnership: true},
+				Relationships: relationshipsConfig{PackageFileOwnershipOverlap: false},
+			},
+			wantErr: assert.Error,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

cmd/syft/internal/options/compliance.go

@@ -0,0 +1,35 @@
+package options
+
+import (
+	"github.com/anchore/fangs"
+	"github.com/anchore/syft/syft/cataloging"
+)
+
+var (
+	_ fangs.FieldDescriber = (*complianceConfig)(nil)
+	_ fangs.PostLoader     = (*complianceConfig)(nil)
+)
+
+type complianceConfig struct {
+	MissingName    cataloging.ComplianceAction `mapstructure:"missing-name" json:"missing-name" yaml:"missing-name"`
+	MissingVersion cataloging.ComplianceAction `mapstructure:"missing-version" json:"missing-version" yaml:"missing-version"`
+}
+
+func defaultComplianceConfig() complianceConfig {
+	def := cataloging.DefaultComplianceConfig()
+	return complianceConfig{
+		MissingName:    def.MissingName,
+		MissingVersion: def.MissingVersion,
+	}
+}
+
+func (r *complianceConfig) DescribeFields(descriptions fangs.FieldDescriptionSet) {
+	descriptions.Add(&r.MissingName, "action to take when a package is missing a name")
+	descriptions.Add(&r.MissingVersion, "action to take when a package is missing a version")
+}
+
+func (r *complianceConfig) PostLoad() error {
+	r.MissingName = r.MissingName.Parse()
+	r.MissingVersion = r.MissingVersion.Parse()
+	return nil
+}

go.mod

@@ -29,11 +29,11 @@ require (
 	github.com/dave/jennifer v1.7.1
 	github.com/deitch/magic v0.0.0-20230404182410-1ff89d7342da
 	github.com/distribution/reference v0.6.0
-	github.com/docker/docker v27.2.1+incompatible
+	github.com/docker/docker v27.3.0+incompatible
 	github.com/dustin/go-humanize v1.0.1
 	github.com/elliotchance/phpserialize v1.4.0
 	github.com/facebookincubator/nvdtools v0.1.5
-	github.com/github/go-spdx/v2 v2.3.1
+	github.com/github/go-spdx/v2 v2.3.2
 	github.com/gkampitakis/go-snaps v0.5.7
 	github.com/go-git/go-billy/v5 v5.5.0
 	github.com/go-git/go-git/v5 v5.12.0

go.sum

@@ -229,8 +229,8 @@ github.com/docker/cli v27.1.1+incompatible h1:goaZxOqs4QKxznZjjBWKONQci/MywhtRv2
 github.com/docker/cli v27.1.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
 github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/docker v27.2.1+incompatible h1:fQdiLfW7VLscyoeYEBz7/J8soYFDZV1u6VW6gJEjNMI=
-github.com/docker/docker v27.2.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v27.3.0+incompatible h1:BNb1QY6o4JdKpqwi9IB+HUYcRRrVN4aGFUTvDmWYK1A=
+github.com/docker/docker v27.3.0+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A=
 github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0=
 github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ=
@@ -285,8 +285,8 @@ github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyT
 github.com/gabriel-vasile/mimetype v1.4.4 h1:QjV6pZ7/XZ7ryI2KuyeEDE8wnh7fHP9YnQy+R0LnH8I=
 github.com/gabriel-vasile/mimetype v1.4.4/go.mod h1:JwLei5XPtWdGiMFB5Pjle1oEeoSeEuJfJE+TtfvdB/s=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
-github.com/github/go-spdx/v2 v2.3.1 h1:ffGuHTbHuHzWPt53n8f9o8clGutuLPObo3zB4JAjxU8=
-github.com/github/go-spdx/v2 v2.3.1/go.mod h1:2ZxKsOhvBp+OYBDlsGnUMcchLeo2mrpEBn2L1C+U3IQ=
+github.com/github/go-spdx/v2 v2.3.2 h1:IfdyNHTqzs4zAJjXdVQfRnxt1XMfycXoHBE2Vsm1bjs=
+github.com/github/go-spdx/v2 v2.3.2/go.mod h1:2ZxKsOhvBp+OYBDlsGnUMcchLeo2mrpEBn2L1C+U3IQ=
 github.com/gkampitakis/ciinfo v0.3.0 h1:gWZlOC2+RYYttL0hBqcoQhM7h1qNkVqvRCV1fOvpAv8=
 github.com/gkampitakis/ciinfo v0.3.0/go.mod h1:1NIwaOcFChN4fa/B0hEBdAb6npDlFL8Bwx4dfRLRqAo=
 github.com/gkampitakis/go-diff v1.3.2 h1:Qyn0J9XJSDTgnsgHRdz9Zp24RaJeKMUHg2+PDZZdC4M=

internal/constants.go

@@ -3,5 +3,5 @@ package internal
 const (
 	// JSONSchemaVersion is the current schema version output by the JSON encoder
 	// This is roughly following the "SchemaVer" guidelines for versioning the JSON schema. Please see schema/json/README.md for details on how to increment.
-	JSONSchemaVersion = "16.0.16"
+	JSONSchemaVersion = "16.0.17"
 )

internal/relationship/exclude_binaries_by_file_ownership_overlap.go

@@ -25,55 +25,102 @@ var (
 	binaryMetadataTypes = []string{
 		reflect.TypeOf(pkg.ELFBinaryPackageNoteJSONPayload{}).Name(),
 		reflect.TypeOf(pkg.BinarySignature{}).Name(),
+		reflect.TypeOf(pkg.JavaVMInstallation{}).Name(),
 	}
 )
 
 func ExcludeBinariesByFileOwnershipOverlap(accessor sbomsync.Accessor) {
 	accessor.WriteToSBOM(func(s *sbom.SBOM) {
 		for _, r := range s.Relationships {
-			if excludeBinaryByFileOwnershipOverlap(r, s.Artifacts.Packages) {
-				s.Artifacts.Packages.Delete(r.To.ID())
-				s.Relationships = RemoveRelationshipsByID(s.Relationships, r.To.ID())
+			if idToRemove := excludeByFileOwnershipOverlap(r, s.Artifacts.Packages); idToRemove != "" {
+				s.Artifacts.Packages.Delete(idToRemove)
+				s.Relationships = RemoveRelationshipsByID(s.Relationships, idToRemove)
 			}
 		}
 	})
 }
 
-// excludeBinaryByFileOwnershipOverlap will remove packages from a collection given the following properties are true
-// 1) the relationship between packages is OwnershipByFileOverlap
-// 2) the parent is an "os" package
-// 3) the child is a synthetic package generated by the binary cataloger
-// 4) the package names are identical
-// This was implemented as a way to help resolve: https://github.com/anchore/syft/issues/931
-func excludeBinaryByFileOwnershipOverlap(r artifact.Relationship, c *pkg.Collection) bool {
+// excludeByFileOwnershipOverlap will remove packages that should be overridden by a more authoritative package,
+// such as an OS package or a package from a cataloger with more specific information being raised up.
+func excludeByFileOwnershipOverlap(r artifact.Relationship, c *pkg.Collection) artifact.ID {
 	if artifact.OwnershipByFileOverlapRelationship != r.Type {
-		return false
+		return ""
 	}
 
 	parent := c.Package(r.From.ID())
 	if parent == nil {
-		return false
-	}
-
-	parentInExclusion := slices.Contains(osCatalogerTypes, parent.Type)
-	if !parentInExclusion {
-		return false
+		return ""
 	}
 
 	child := c.Package(r.To.ID())
 	if child == nil {
-		return false
+		return ""
+	}
+
+	if idToRemove := identifyOverlappingOSRelationship(parent, child); idToRemove != "" {
+		return idToRemove
+	}
+
+	if idToRemove := identifyOverlappingJVMRelationship(parent, child); idToRemove != "" {
+		return idToRemove
+	}
+
+	return ""
+}
+
+// identifyOverlappingJVMRelationship indicates the package to remove if this is a binary -> binary pkg relationship
+// with a java binary signature package and a more authoritative JVM release package.
+func identifyOverlappingJVMRelationship(parent *pkg.Package, child *pkg.Package) artifact.ID {
+	if !slices.Contains(binaryCatalogerTypes, parent.Type) {
+		return ""
+	}
+
+	if !slices.Contains(binaryCatalogerTypes, child.Type) {
+		return ""
+	}
+
+	if child.Metadata == nil {
+		return ""
+	}
+
+	var (
+		foundJVM   bool
+		idToRemove artifact.ID
+	)
+	for _, p := range []*pkg.Package{parent, child} {
+		switch p.Metadata.(type) {
+		case pkg.JavaVMInstallation:
+			foundJVM = true
+		default:
+			idToRemove = p.ID()
+		}
+	}
+
+	if foundJVM {
+		return idToRemove
+	}
+
+	return ""
+}
+
+// identifyOverlappingOSRelationship indicates the package ID to remove if this is an OS pkg -> bin pkg relationship.
+// This was implemented as a way to help resolve: https://github.com/anchore/syft/issues/931
+func identifyOverlappingOSRelationship(parent *pkg.Package, child *pkg.Package) artifact.ID {
+	if !slices.Contains(osCatalogerTypes, parent.Type) {
+		return ""
 	}
 
 	if slices.Contains(binaryCatalogerTypes, child.Type) {
-		return true
+		return child.ID()
 	}
 
 	if child.Metadata == nil {
-		return false
+		return ""
 	}
 
-	childMetadataType := reflect.TypeOf(child.Metadata)
+	if !slices.Contains(binaryMetadataTypes, reflect.TypeOf(child.Metadata).Name()) {
+		return ""
+	}
 
-	return slices.Contains(binaryMetadataTypes, childMetadataType.Name())
+	return child.ID()
 }