feat: add initial dotnet-support (#951)

* feat: add initial dotnet-support

Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de>

* fix: add path, sha512 and hashpath

Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de>

* fix: add missing dot

Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de>

* fix: lint warnings

Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de>

* fix CLI test package counts to account for dotnet

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* fix: updated packagurl-go

Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de>

* tidy go.sum

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* update json schema

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

Co-authored-by: Alex Goodman <alex.goodman@anchore.com>

README.md

@@ -31,6 +31,7 @@ A CLI tool and Go library for generating a Software Bill of Materials (SBOM) fro
 - Alpine (apk)
 - Dart (pubs)
 - Debian (dpkg)
+- Dotnet (deps.json)
 - Go (go.mod, Go binaries)
 - Java (jar, ear, war, par, sar)
 - JavaScript (npm, yarn)

go.mod

@@ -13,7 +13,7 @@ require (
 	github.com/anchore/go-rpmdb v0.0.0-20210914181456-a9c52348da63
 	github.com/anchore/go-testutils v0.0.0-20200925183923-d5f45b0d3c04
 	github.com/anchore/go-version v1.2.2-0.20200701162849-18adb9c92b9b
-	github.com/anchore/packageurl-go v0.1.1-0.20220314153042-1bcd40e5206b
+	github.com/anchore/packageurl-go v0.1.1-0.20220428202044-a072fa3cb6d7
 	github.com/anchore/stereoscope v0.0.0-20220406160859-c03a18a6b270
 	github.com/antihax/optional v1.0.0
 	github.com/bmatcuk/doublestar/v4 v4.0.2

go.sum

@@ -272,8 +272,8 @@ github.com/anchore/go-testutils v0.0.0-20200925183923-d5f45b0d3c04 h1:VzprUTpc0v
 github.com/anchore/go-testutils v0.0.0-20200925183923-d5f45b0d3c04/go.mod h1:6dK64g27Qi1qGQZ67gFmBFvEHScy0/C8qhQhNe5B5pQ=
 github.com/anchore/go-version v1.2.2-0.20200701162849-18adb9c92b9b h1:e1bmaoJfZVsCYMrIZBpFxwV26CbsuoEh5muXD5I1Ods=
 github.com/anchore/go-version v1.2.2-0.20200701162849-18adb9c92b9b/go.mod h1:Bkc+JYWjMCF8OyZ340IMSIi2Ebf3uwByOk6ho4wne1E=
-github.com/anchore/packageurl-go v0.1.1-0.20220314153042-1bcd40e5206b h1:YJWYt/6KQXR9JR46lLHrTTYi8rcye42tKcyjREA/hvA=
-github.com/anchore/packageurl-go v0.1.1-0.20220314153042-1bcd40e5206b/go.mod h1:Blo6OgJNiYF41ufcgHKkbCKF2MDOMlrqhXv/ij6ocR4=
+github.com/anchore/packageurl-go v0.1.1-0.20220428202044-a072fa3cb6d7 h1:kDrYkTSM9uIxaX/P9s0F4nKYNM+hnSgLJdLpqvsaQ/g=
+github.com/anchore/packageurl-go v0.1.1-0.20220428202044-a072fa3cb6d7/go.mod h1:Blo6OgJNiYF41ufcgHKkbCKF2MDOMlrqhXv/ij6ocR4=
 github.com/anchore/stereoscope v0.0.0-20220406160859-c03a18a6b270 h1:NmxPDR6vo3xjwCL6o+tpF1vUad/BVo+WaVSwueB9W9w=
 github.com/anchore/stereoscope v0.0.0-20220406160859-c03a18a6b270/go.mod h1:yoCLUZY0k/pYLNIy0L80p2Ko0PKVNXm8rHtgxp4OiSc=
 github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8=

internal/constants.go

@@ -6,5 +6,5 @@ const (
 
 	// JSONSchemaVersion is the current schema version output by the JSON encoder
 	// This is roughly following the "SchemaVer" guidelines for versioning the JSON schema. Please see schema/json/README.md for details on how to increment.
-	JSONSchemaVersion = "3.2.2"
+	JSONSchemaVersion = "3.2.3"
 )

internal/formats/common/spdxhelpers/source_info.go

@@ -17,6 +17,8 @@ func SourceInfo(p pkg.Package) string {
 		answer = "acquired package info from pubspec manifest"
 	case pkg.DebPkg:
 		answer = "acquired package info from DPKG DB"
+	case pkg.DotnetPkg:
+		answer = "acquired package info from dotnet project assets file"
 	case pkg.NpmPkg:
 		answer = "acquired package info from installed node module manifest file"
 	case pkg.PythonPkg:

internal/formats/common/spdxhelpers/source_info_test.go

@@ -134,6 +134,14 @@ func Test_SourceInfo(t *testing.T) {
 				"from pubspec manifest",
 			},
 		},
+		{
+			input: pkg.Package{
+				Type: pkg.DotnetPkg,
+			},
+			expected: []string{
+				"from dotnet project assets file",
+			},
+		},
 	}
 	var pkgTypes []pkg.Type
 	for _, test := range tests {

internal/formats/syftjson/model/package.go

@@ -136,6 +136,12 @@ func (p *Package) UnmarshalJSON(b []byte) error {
 			return err
 		}
 		p.Metadata = payload
+	case pkg.DotnetDepsMetadataType:
+		var payload pkg.DotnetDepsMetadata
+		if err := json.Unmarshal(unpacker.Metadata, &payload); err != nil {
+			return err
+		}
+		p.Metadata = payload
 	default:
 		log.Warnf("unknown package metadata type=%q for packageID=%q", p.MetadataType, p.ID)
 	}

internal/formats/syftjson/test-fixtures/snapshot/TestDirectoryEncoder.golden

@@ -88,7 +88,7 @@
   }
  },
  "schema": {
-  "version": "3.2.2",
-  "url": "https://raw.githubusercontent.com/anchore/syft/main/schema/json/schema-3.2.2.json"
+  "version": "3.2.3",
+  "url": "https://raw.githubusercontent.com/anchore/syft/main/schema/json/schema-3.2.3.json"
  }
 }

internal/formats/syftjson/test-fixtures/snapshot/TestEncodeFullJSONDocument.golden

@@ -184,7 +184,7 @@
   }
  },
  "schema": {
-  "version": "3.2.2",
-  "url": "https://raw.githubusercontent.com/anchore/syft/main/schema/json/schema-3.2.2.json"
+  "version": "3.2.3",
+  "url": "https://raw.githubusercontent.com/anchore/syft/main/schema/json/schema-3.2.3.json"
  }
 }

internal/formats/syftjson/test-fixtures/snapshot/TestImageEncoder.golden

@@ -111,7 +111,7 @@
   }
  },
  "schema": {
-  "version": "3.2.2",
-  "url": "https://raw.githubusercontent.com/anchore/syft/main/schema/json/schema-3.2.2.json"
+  "version": "3.2.3",
+  "url": "https://raw.githubusercontent.com/anchore/syft/main/schema/json/schema-3.2.3.json"
  }
 }

schema/json/generate.go

@@ -38,6 +38,7 @@ type artifactMetadataContainer struct {
 	Go     pkg.GolangBinMetadata
 	Php    pkg.PhpComposerJSONMetadata
 	Dart   pkg.DartPubMetadata
+	Dotnet pkg.DotnetDepsMetadata
 }
 
 func main() {