Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue #1227 - Get licenses for NuGet packages #3329

Open
wants to merge 61 commits into
base: main
Choose a base branch
from
Open

Issue #1227 - Get licenses for NuGet packages #3329

wants to merge 61 commits into from

Conversation

HeyeOpenSource
Copy link

@HeyeOpenSource HeyeOpenSource commented Oct 14, 2024
edited
Loading

Description

Type of change

  • New feature (non-breaking change which adds functionality)

Checklist:

  • I have added unit tests that cover changed behavior
  • I have tested my code in common scenarios and confirmed there are no regressions
  • I have added comments to my code, particularly in hard-to-understand sections

@spiffcs spiffcs self-requested a review October 14, 2024 15:41
@spiffcs spiffcs self-assigned this Oct 14, 2024
HeyeOpenSource and others added 14 commits October 15, 2024 09:03
@HeyeOpenSource
- Add new DotNet- / Nuget-Cataloger-Configuration.
102fe66 
Signed-off-by: HeyeOpenSource <opensource@heye-international.com>
@HeyeOpenSource
- Added NuGet license resolver.
df81198 
Signed-off-by: HeyeOpenSource <opensource@heye-international.com>
@HeyeOpenSource
- Inject NuGet license parser into DotNet catalogers.
49ad147 
Signed-off-by: HeyeOpenSource <opensource@heye-international.com>
@westonsteimel @HeyeOpenSource
fix: improve go binary semver extraction for traefik (anchore#3325)
a0d4098 
Improves the go cataloger semver extraction logic to include getting the
release version of traefik.  This is based off of the regex pattern that
already existed in the traefik binary classifier.

Signed-off-by: Weston Steimel <commits@weston.slmail.me>
Signed-off-by: HeyeOpenSource <opensource@heye-international.com>
@anchore-actions-token-generator @wagoodman @HeyeOpenSource
chore(deps): update CPE dictionary index (anchore#3323)
276c734 
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com>
Signed-off-by: HeyeOpenSource <opensource@heye-international.com>
@HeyeOpenSource
- Implemented the FieldDescriber interface for the cmd/syft/internal/…
61b5a83 
…options dotnetConfig struct.

Signed-off-by: HeyeOpenSource <opensource@heye-international.com>
@HeyeOpenSource
- Added the missing DotNet config field to the cmd/syft/internal/opti…
1659c46 
…ons Catalog struct.

Signed-off-by: HeyeOpenSource <opensource@heye-international.com>
@dependabot @HeyeOpenSource
chore(deps): bump github/codeql-action from 3.26.12 to 3.26.13 (ancho…
50e75eb 
…re#3327)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.26.12 to 3.26.13.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@c36620d...f779452)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: HeyeOpenSource <opensource@heye-international.com>
@dependabot @HeyeOpenSource
chore(deps): bump anchore/sbom-action from 0.17.2 to 0.17.3 (anchore#…
5566af1 
…3326)

Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action) from 0.17.2 to 0.17.3.
- [Release notes](https://github.com/anchore/sbom-action/releases)
- [Changelog](https://github.com/anchore/sbom-action/blob/main/RELEASE.md)
- [Commits](anchore/sbom-action@61119d4...f5e124a)

---
updated-dependencies:
- dependency-name: anchore/sbom-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: HeyeOpenSource <opensource@heye-international.com>
@anchore-actions-token-generator @willmurphyscode @HeyeOpenSource
chore(deps): update stereoscope to 93f8a11331e3d50f751e4d0ec5b63f3df3…
81edaa9 
…09e9e5 (anchore#3331)

Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: willmurphyscode <12529630+willmurphyscode@users.noreply.github.com>
Signed-off-by: HeyeOpenSource <opensource@heye-international.com>
@anchore-actions-token-generator @willmurphyscode @HeyeOpenSource
chore(deps): update stereoscope to 1cc8a41d447d0d092699be2b700b8ba62e…
1a69e5e 
…870434 (anchore#3332)

Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: willmurphyscode <12529630+willmurphyscode@users.noreply.github.com>
Signed-off-by: HeyeOpenSource <opensource@heye-international.com>
@HeyeOpenSource
- Corrected DotNet config field description.
4644a0b 
Signed-off-by: HeyeOpenSource <opensource@heye-international.com>
@HeyeOpenSource
- Added more safeguards and comments to the private getDefaultProvide…
37fbd5f 
…rs() function in syft/pkg/cataloger/dotnet.

Signed-off-by: HeyeOpenSource <opensource@heye-international.com>
@HeyeOpenSource
- Refactored NuGet license resolver.
00e2895 
Signed-off-by: HeyeOpenSource <opensource@heye-international.com>
@HeyeOpenSource
Copy link
Author

HeyeOpenSource commented Oct 16, 2024
edited
Loading

Just for the record:
I oriented myself at the golang cataloger.

The configuration can also be influenced by the following four main environment variables:

  • SYFT_DOTNET_SEARCH_LOCAL_LICENSES
    • 'true' | 'false'
    • Search for NuGet packages in all known local cache directories.
  • SYFT_DOTNET_LOCAL_CACHE_PATHS
    • Expects a comma-separated lists of local cache directories for NuGet packages to use when searching for local NuGet packages / licenses.
    • Defaults to all known local NuGet repository cache directories as retrieved from the dotnet SDK-tool if undefined.
  • SYFT_DOTNET_SEARCH_REMOTE_LICENSES
    • 'true' | 'false'
    • Search for NuGet packages in all enabled known remote NuGet package repositories eg. https://api.nuget.org/v3-flatcontainer/ as retrieved from https://api.nuget.org/v3/index.json (unless the NuGet package providers setting is overridden)
  • SYFT_DOTNET_PACKAGE_PROVIDERS
    • Expects a comma-separated lists of the URLs of remote NuGet package repositories to use when searching for remote NuGet packages / licenses.
    • Defaults to all enabled known remote NuGet repositories as retrieved from the dotnet SDK-tool if undefined.

NuGet package provider credentials:

These are only ever used, if a NuGet package repository returns the status code 401 Unauthorized when trying to retrieve a remote NuGet package.

  • SYFT_DOTNET_PACKAGE_PROVIDER_CREDENTIALS_USERNAME
    • Username for a credential for remote NuGet package repositories to use when searching for remote NuGet packages / licenses in a package repository requiring authentication.
  • SYFT_DOTNET_PACKAGE_PROVIDER_CREDENTIALS_PASSWORD
    • Password for a credential for remote NuGet package repositories to use when searching for remote NuGet packages / licenses in a package repository requiring authentication.

N.B.:

  • Credentials are only accepted if both username and password are given.

@HeyeOpenSource
- Corrected DefaultCatalogerConfig() comment.
5a7f484 
Signed-off-by: HeyeOpenSource <opensource@heye-international.com>
@HeyeOpenSource
- Minor correction for remote NuGet license retrieval from NuGet pack…
47928c9 
…age provider URLs terminated by '/'.

Signed-off-by: HeyeOpenSource <opensource@heye-international.com>
@HeyeOpenSource
- Extended dotnet configuration to allow for the use of credentials w…
97bb64a 
…hen accessing remote NuGet package repositories.

Signed-off-by: HeyeOpenSource <opensource@heye-international.com>
@HeyeOpenSource
- Heavily restructured the license resolver in order to:
3b27e85 
  - Fix remote NuGet license retrieval.
  - Allow for NuGet package retrieval from package repositories requiring authentication.

Signed-off-by: HeyeOpenSource <opensource@heye-international.com>
@HeyeOpenSource
- Some more refactoring of the license resolver.
037b96b 
Signed-off-by: HeyeOpenSource <opensource@heye-international.com>
@HeyeOpenSource
- Adapt dotnet cataloger config Unit Tests to commit 97bb64a.
10cf9dd 
Signed-off-by: HeyeOpenSource <opensource@heye-international.com>
@HeyeOpenSource
Merge branch 'main' into Issue_1227_Take_II
eb28e1a
@HeyeOpenSource
Copy link
Author

FYI:
The feature for defining credentials should mostly be applicable to commercial CI/CD environments,
where access restriction is required by appropriate data security requirements.

Gitea for example allows to create such code- and NuGet package repositories.

@HeyeOpenSource
- Correct the package cataloger conventions for the dotnet catalogers.
e5e288e 
Signed-off-by: HeyeOpenSource <opensource@heye-international.com>
@HeyeOpenSource
- Remove the use of special environment variables for the dotnet cata…
fda1188 
…loger configuration.

Signed-off-by: HeyeOpenSource <opensource@heye-international.com>
@HeyeOpenSource
- Make local NuGet cache folder configurable.
a745223 
Signed-off-by: HeyeOpenSource <opensource@heye-international.com>
@HeyeOpenSource
- Adapted dotnet cataloger options to improve credential security.
3ce5adf 
Signed-off-by: HeyeOpenSource <opensource@heye-international.com>
@HeyeOpenSource
- Corrections for static analysis regressions.
a92a4da 
Signed-off-by: HeyeOpenSource <opensource@heye-international.com>
@HeyeOpenSource
- Corrected test cases for the dotnet executable cataloger.
ae360d2 
Signed-off-by: HeyeOpenSource <opensource@heye-international.com>
@HeyeOpenSource
- Properly reverted the original test case input.
f7017a1 
Signed-off-by: HeyeOpenSource <opensource@heye-international.com>
@HeyeOpenSource
- Tie the dotnet search locally and -remotely options in to the ```en…
979b8ec 
…rich``` functionality.

Signed-off-by: HeyeOpenSource <opensource@heye-international.com>
@HeyeOpenSource
- Compile fix.
f734ca7 
Signed-off-by: HeyeOpenSource <opensource@heye-international.com>
@HeyeOpenSource
- Logic correction *facepalm*.
e234a78 
Signed-off-by: HeyeOpenSource <opensource@heye-international.com>
@HeyeOpenSource
- Removed obsolete text-fixture files.
ca0e822 
Signed-off-by: HeyeOpenSource <opensource@heye-international.com>
@HeyeOpenSource
Copy link
Author

HeyeOpenSource commented Oct 24, 2024
edited
Loading

After tackling all review conversations up to now, the Validations action is all green once more:
Validations #27

I have removed any artifacts, which are not strictly neccessary.
As you correctly stated it does not really make sense to have obsolete images and binaries clogging up the repo.

kzantow
kzantow reviewed Oct 29, 2024
View reviewed changes
Copy link
Contributor

@kzantow kzantow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the latest updates; I found a few other things after a finer tooth comb. Other than what's mentioned here, it's looking really good -- very appreciated!

internal/task/package_tasks.go Outdated Show resolved Hide resolved
cmd/syft/internal/options/dotnet.go Outdated Show resolved Hide resolved
cmd/syft/internal/options/dotnet.go Show resolved Hide resolved
cmd/syft/internal/options/dotnet.go Outdated Show resolved Hide resolved
cmd/syft/internal/options/dotnet.go Outdated Show resolved Hide resolved
syft/pkg/cataloger/dotnet/licenses.go Show resolved Hide resolved
syft/pkg/cataloger/dotnet/licenses.go Outdated Show resolved Hide resolved
syft/pkg/cataloger/dotnet/parse_dotnet_deps.go Outdated Show resolved Hide resolved
syft/pkg/cataloger/dotnet/parse_dotnet_deps.go Show resolved Hide resolved
syft/pkg/cataloger/dotnet/parse_dotnet_portable_executable.go Outdated Show resolved Hide resolved
HeyeOpenSource and others added 7 commits October 30, 2024 17:07
@HeyeOpenSource
- Adaptation for review by [@kzantow](https://github.com/kzantow) on …
bab3d97 
…Oct 29th 2024.

Signed-off-by: HeyeOpenSource <opensource@heye-international.com>
@kzantow @HeyeOpenSource
fix: stack overflow in spyingIoReadCloser (anchore#3392)
bfeb2bd 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: HeyeOpenSource <opensource@heye-international.com>
@dependabot @HeyeOpenSource
chore(deps): bump anchore/sbom-action from 0.17.5 to 0.17.6 (anchore#…
ab4279a 
…3393)

Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action) from 0.17.5 to 0.17.6.
- [Release notes](https://github.com/anchore/sbom-action/releases)
- [Changelog](https://github.com/anchore/sbom-action/blob/main/RELEASE.md)
- [Commits](anchore/sbom-action@1ca97d9...251a468)

---
updated-dependencies:
- dependency-name: anchore/sbom-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: HeyeOpenSource <opensource@heye-international.com>
@dependabot @HeyeOpenSource
chore(deps): bump github.com/adrg/xdg from 0.5.1 to 0.5.2 (anchore#3394)
c4d7ba5 
Signed-off-by: HeyeOpenSource <opensource@heye-international.com>
@HeyeOpenSource
- Added generic 'SimpleCredential' struct.
990b077 
Signed-off-by: HeyeOpenSource <opensource@heye-international.com>
@HeyeOpenSource
- Removed unneccessary check.
464e11e 
Signed-off-by: HeyeOpenSource <opensource@heye-international.com>
@HeyeOpenSource
- Correction due to integration tests.
438d94f 
Signed-off-by: HeyeOpenSource <opensource@heye-international.com>
@HeyeOpenSource
- Adaptations for 2nd review of DotNet license handling.
e12d96a 
Signed-off-by: HeyeOpenSource <opensource@heye-international.com>
@HeyeOpenSource
Merge branch 'main' into Issue_1227_Take_II
4936e53 
Signed-off-by: HeyeOpenSource <opensource@heye-international.com>
HeyeOpenSource
HeyeOpenSource commented Nov 2, 2024
View reviewed changes
Copy link
Author

@HeyeOpenSource HeyeOpenSource left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In a sense, the localNuGetCacheResolvers are source content:
These are the folders ('sources') from where the external NuGet dependencies are linked...

Hence, I would currently refrain from changing from the file.Resolver implementation to an fs package implementation.

@kzantow : What do you say?

syft/pkg/cataloger/dotnet/parse_dotnet_deps.go Show resolved Hide resolved
cmd/syft/internal/options/dotnet.go Outdated Show resolved Hide resolved
syft/pkg/cataloger/dotnet/parse_dotnet_portable_executable_test.go Outdated Show resolved Hide resolved
cmd/syft/internal/options/catalog.go Outdated Show resolved Hide resolved
syft/pkg/cataloger/dotnet/config.go Show resolved Hide resolved
syft/pkg/cataloger/dotnet/config.go Outdated Show resolved Hide resolved
syft/pkg/cataloger/dotnet/licenses.go Show resolved Hide resolved
syft/pkg/cataloger/dotnet/licenses.go Outdated Show resolved Hide resolved
syft/pkg/cataloger/dotnet/config.go Outdated Show resolved Hide resolved
syft/pkg/cataloger/dotnet/licenses.go

type nugetLicenseResolver struct {
opts CatalogerConfig
localNuGetCacheResolvers []file.Resolver
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the clarification about the decisions taken.
At the moment I am not quite sure, how I'd go about performing the switch towards the fs package...

Then again:
In a sense, the localNuGetCacheResolvers are source content:
These are the folders ('sources') from where the external NuGet dependencies are linked... 🤷‍♂️

@kzantow : What do you say?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@spiffcs spiffcs Awaiting requested review from spiffcs

@kzantow kzantow Awaiting requested review from kzantow

At least 1 approving review is required to merge this pull request.

Assignees

@spiffcs spiffcs

Labels
None yet
Projects
OSS
Status: In Review
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Get licenses for NuGet packages
4 participants
@HeyeOpenSource @kzantow @spiffcs @westonsteimel