Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

composer.json isn't parsed for packages #1064

Closed
cpendery opened this issue Jun 24, 2022 · 5 comments · Fixed by #1065
Closed

composer.json isn't parsed for packages #1064

cpendery opened this issue Jun 24, 2022 · 5 comments · Fixed by #1065
Labels
bug Something isn't working

Comments

@cpendery
Copy link
Contributor

What happened:
Syft isn't detecting any packages when given file:composer.json

What you expected to happen:
It should be able to index those packages since it's listed in the Syft supported languages

How to reproduce it (as minimally and precisely as possible):
Clone this repo and run Syft on it

Anything else we need to know?:
Found by @josecoimbra in anchore/grype#797

Environment:

  • Output of syft version: 48.1
  • OS (e.g: cat /etc/os-release or similar):
System Version: macOS 11.6 (20G165)
Kernel Version: Darwin 20.6.0
Model Name: MacBook Pro
Model Identifier: MacBookPro16,1
Processor Name: 6-Core Intel Core i7
@cpendery cpendery added the bug Something isn't working label Jun 24, 2022
@cpendery cpendery changed the title Syft composer.json isn't parsed for packages composer.json isn't parsed for packages Jun 24, 2022
@cpendery
Copy link
Contributor Author

Happy to add a cataloger for composer.json files to https://github.com/anchore/syft/blob/main/syft/pkg/cataloger/cataloger.go#L80

@spiffcs
Copy link
Contributor

spiffcs commented Jun 24, 2022

Thanks @cpendery! If you want to add this support go ahead. Really appreciate you filling out syft's support for more things.

@josecoimbra
Copy link

Happy to add a cataloger for composer.json files to https://github.com/anchore/syft/blob/main/syft/pkg/cataloger/cataloger.go#L80

@cpendery Perhaps it could be better to use composer.lock, since composer.json has only direct dependencies, leaving dependencies of dependencies out.

@cpendery
Copy link
Contributor Author

Happy to add a cataloger for composer.json files to https://github.com/anchore/syft/blob/main/syft/pkg/cataloger/cataloger.go#L80

@cpendery Perhaps it could be better to use composer.lock, since composer.json has only direct dependencies, leaving dependencies of dependencies out.

Sounds great! I'll tag you on PR and test it on the repo you linked to make sure it meets what you're looking for

@cpendery
Copy link
Contributor Author

@josecoimbra it looks like I should have dug a little deeper into Syft's code. Syft already index's composer's composer.lock and installed.json files to detect resolved files in the project. I'll update Grype's documentation to reflect this, and I'm making a PR to add support for using file:composer.lock since that isn't supported right now. This matches with how all other ecosystems work where a lock file gives version resolutions, like Javascript, in Syft.

@cpendery cpendery mentioned this issue Jun 24, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
OSS
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: add php catalogers to all catalogers cpendery/syft
3 participants
@spiffcs @cpendery @josecoimbra