Extract language and package type from pURLs on SBOM decode

[wagoodman]

This PR paves the way to use pURLs as a way to indicate package language and package type, two attributes that are not easily encoded into in-spec properties for CycloneDX and SPDX. This will be useful when decoding SBOM documents that did not necessarily originate from Syft, but do have pURL information available.

Possible future SPDX decode function:

func toSyftPackage(p model.Package) pkg.Package {
	purl := spdxhelpers.ExtractPURL(p.ExternalRefs)
	sP := pkg.Package{
		Type:     pkg.TypeFromPURL(purl), //  <---- new function 
		Name:     p.Name,
		Version:  p.VersionInfo,
		Licenses: spdxhelpers.ParseLicense(p.LicenseDeclared),
		CPEs:     spdxhelpers.ExtractCPEs(p.ExternalRefs),
		PURL:     purl,
		Language: pkg.LanguageFromPURL(purl),  //  <---- new function 
	}

	sP.SetID()

	return sP
}

Additionally adds pURL support for cargo and npm package types.

Related to anchore/grype#395

[github-actions]

Benchmark Test Results

Benchmark results from the latest changes vs base branch

name                                                       old time/op    new time/op    delta
ImagePackageCatalogers/ruby-gemspec-cataloger-2              1.40ms ± 9%    1.34ms ± 0%    ~     (p=0.056 n=5+5)
ImagePackageCatalogers/python-package-cataloger-2            3.11ms ± 3%    3.05ms ± 1%    ~     (p=0.556 n=5+4)
ImagePackageCatalogers/php-composer-installed-cataloger-2    1.09ms ± 7%    1.05ms ± 1%    ~     (p=0.151 n=5+5)
ImagePackageCatalogers/javascript-package-cataloger-2         781µs ± 4%     825µs ± 0%  +5.66%  (p=0.008 n=5+5)
ImagePackageCatalogers/dpkgdb-cataloger-2                     960µs ± 6%     954µs ± 0%    ~     (p=1.000 n=5+5)
ImagePackageCatalogers/rpmdb-cataloger-2                      824µs ± 4%     857µs ± 0%  +3.98%  (p=0.008 n=5+5)
ImagePackageCatalogers/java-cataloger-2                      13.8ms ± 3%    13.5ms ± 1%    ~     (p=0.548 n=5+5)
ImagePackageCatalogers/apkdb-cataloger-2                     1.30ms ± 3%    1.27ms ± 0%    ~     (p=0.151 n=5+5)
ImagePackageCatalogers/go-module-binary-cataloger-2          1.97µs ± 6%    1.86µs ± 1%    ~     (p=0.111 n=5+5)

name                                                       old alloc/op   new alloc/op   delta
ImagePackageCatalogers/ruby-gemspec-cataloger-2               253kB ± 0%     253kB ± 0%    ~     (p=0.937 n=5+5)
ImagePackageCatalogers/python-package-cataloger-2            1.06MB ± 0%    1.06MB ± 0%    ~     (p=0.548 n=5+5)
ImagePackageCatalogers/php-composer-installed-cataloger-2     253kB ± 0%     253kB ± 0%    ~     (p=0.095 n=5+5)
ImagePackageCatalogers/javascript-package-cataloger-2         207kB ± 0%     208kB ± 0%  +0.13%  (p=0.008 n=5+5)
ImagePackageCatalogers/dpkgdb-cataloger-2                     254kB ± 0%     254kB ± 0%    ~     (p=0.690 n=5+5)
ImagePackageCatalogers/rpmdb-cataloger-2                      236kB ± 0%     235kB ± 0%  -0.09%  (p=0.032 n=5+5)
ImagePackageCatalogers/java-cataloger-2                      3.78MB ± 0%    3.78MB ± 0%    ~     (p=0.310 n=5+5)
ImagePackageCatalogers/apkdb-cataloger-2                     1.30MB ± 0%    1.30MB ± 0%    ~     (p=0.222 n=5+5)
ImagePackageCatalogers/go-module-binary-cataloger-2            560B ± 0%      560B ± 0%    ~     (all equal)

name                                                       old allocs/op  new allocs/op  delta
ImagePackageCatalogers/ruby-gemspec-cataloger-2               6.33k ± 0%     6.33k ± 0%    ~     (all equal)
ImagePackageCatalogers/python-package-cataloger-2             21.4k ± 0%     21.4k ± 0%    ~     (p=0.571 n=5+5)
ImagePackageCatalogers/php-composer-installed-cataloger-2     7.26k ± 0%     7.26k ± 0%    ~     (p=0.968 n=4+5)
ImagePackageCatalogers/javascript-package-cataloger-2         5.34k ± 0%     5.36k ± 0%  +0.45%  (p=0.008 n=5+5)
ImagePackageCatalogers/dpkgdb-cataloger-2                     7.11k ± 0%     7.11k ± 0%    ~     (all equal)
ImagePackageCatalogers/rpmdb-cataloger-2                      6.83k ± 0%     6.83k ± 0%    ~     (all equal)
ImagePackageCatalogers/java-cataloger-2                       74.7k ± 0%     74.7k ± 0%    ~     (p=0.873 n=5+5)
ImagePackageCatalogers/apkdb-cataloger-2                      7.38k ± 0%     7.38k ± 0%    ~     (p=0.556 n=5+4)
ImagePackageCatalogers/go-module-binary-cataloger-2            13.0 ± 0%      13.0 ± 0%    ~     (all equal)

[jonasagx]

NIT: go's https://pkg.go.dev/fmt#Stringer uses String() string as signature.

[jonasagx]

So for example

purl := packageurl.NewPackageURL(
 		packageurl.TypeNPM,
 		"",
 		p.Name,
 		p.Version,
 		nil,
 		"",
 	)

fmt.Printf("purl: %s", purl) // Printf will look for purl.String()

[jonasagx]

nvm there is an alternative: https://github.com/package-url/packageurl-go/blob/master/packageurl.go#L189

[wagoodman]

it seems like p.ToString() and p.String() are really the same call on this object (not certain why they didn't just provide String and leave off ToString). Since String simply calls ToString I think I'll leave this as is.

[kzantow]

👍