Issue #1227 - Get licenses for NuGet packages

cmd/syft/internal/options/catalog.go

@@ -19,6 +19,7 @@ import (
 	"github.com/anchore/syft/syft/file/cataloger/executable"
 	"github.com/anchore/syft/syft/file/cataloger/filecontent"
 	"github.com/anchore/syft/syft/pkg/cataloger/binary"
+	"github.com/anchore/syft/syft/pkg/cataloger/dotnet"
 	"github.com/anchore/syft/syft/pkg/cataloger/golang"
 	"github.com/anchore/syft/syft/pkg/cataloger/java"
 	"github.com/anchore/syft/syft/pkg/cataloger/javascript"
@@ -42,6 +43,7 @@ type Catalog struct {
 
 	// ecosystem-specific cataloger configuration
 	Golang      golangConfig      `yaml:"golang" json:"golang" mapstructure:"golang"`
+	DotNet      dotnetConfig      `yaml:"dotnet" json:"dotnet" mapstructure:"dotnet"`
 	Java        javaConfig        `yaml:"java" json:"java" mapstructure:"java"`
 	JavaScript  javaScriptConfig  `yaml:"javascript" json:"javascript" mapstructure:"javascript"`
 	LinuxKernel linuxKernelConfig `yaml:"linux-kernel" json:"linux-kernel" mapstructure:"linux-kernel"`
@@ -71,6 +73,7 @@ func DefaultCatalog() Catalog {
 		Package:       defaultPackageConfig(),
 		LinuxKernel:   defaultLinuxKernelConfig(),
 		Golang:        defaultGolangConfig(),
+		DotNet:        defaultDotnetConfig(),
 		Java:          defaultJavaConfig(),
 		File:          defaultFileConfig(),
 		Relationships: defaultRelationshipsConfig(),
@@ -165,6 +168,12 @@ func (cfg Catalog) ToPackagesConfig() pkgcataloging.Config {
 					WithFromBuildSettings(cfg.Golang.MainModuleVersion.FromBuildSettings).
 					WithFromLDFlags(cfg.Golang.MainModuleVersion.FromLDFlags),
 			),
+		DotNet: dotnet.DefaultCatalogerConfig().
+			WithSearchLocalLicenses(*multiLevelOption(false, enrichmentEnabled(cfg.Enrich, task.Dotnet, task.CSharp, task.CSharpWrittenOut), cfg.DotNet.SearchLocalLicenses)).
+			WithLocalCachePaths(cfg.DotNet.LocalCachePaths).
+			WithSearchRemoteLicenses(*multiLevelOption(false, enrichmentEnabled(cfg.Enrich, task.Dotnet, task.CSharp, task.CSharpWrittenOut), cfg.DotNet.SearchRemoteLicenses)).
+			WithProviders(cfg.DotNet.Providers).
+			WithCredentials(cfg.DotNet.ProviderCredentials.ToProviderCredentials()),
 		JavaScript: javascript.DefaultCatalogerConfig().
 			WithIncludeDevDependencies(*multiLevelOption(false, cfg.JavaScript.IncludeDevDependencies)).
 			WithSearchRemoteLicenses(*multiLevelOption(false, enrichmentEnabled(cfg.Enrich, task.JavaScript, task.Node, task.NPM), cfg.JavaScript.SearchRemoteLicenses)).

cmd/syft/internal/options/dotnet.go

@@ -0,0 +1,88 @@
+package options
+
+import (
+	"os"
+	"strings"
+
+	"github.com/anchore/clio"
+	"github.com/anchore/syft/syft/credential"
+	"github.com/anchore/syft/syft/pkg/cataloger/dotnet"
+)
+
+type dotNetProviderCredentials []dotNetProviderCredential
+
+func (dnpc dotNetProviderCredentials) ToProviderCredentials() []credential.SimpleCredential {
+	result := []credential.SimpleCredential{}
+	for _, _credential := range dnpc {
+		result = append(result, credential.SimpleCredential{
+			Username: _credential.Username.String(),
+			Password: _credential.Password.String(),
+		})
+	}
+
+	return result
+}
+
+type dotNetProviderCredential struct {
+	// IMPORTANT: do not show any credential information, use secret type to automatically redact the values
+	Username secret `yaml:"username" json:"username" mapstructure:"username"`
+	Password secret `yaml:"password" json:"password" mapstructure:"password"`
+}
+
+type dotnetConfig struct {
+	SearchLocalLicenses  *bool                     `yaml:"search-local-licenses" json:"search-local-licenses" mapstructure:"search-local-licenses"`
+	LocalCachePaths      string                    `yaml:"local-cache-paths" json:"local-cache-paths" mapstructure:"local-cache-paths"`
+	SearchRemoteLicenses *bool                     `yaml:"search-remote-licenses" json:"search-remote-licenses" mapstructure:"search-remote-licenses"`
+	Providers            string                    `yaml:"package-providers,omitempty" json:"package-providers,omitempty" mapstructure:"package-providers"`
+	ProviderCredentials  dotNetProviderCredentials `yaml:"package-provider-credentials,omitempty" json:"package-provider-credentials,omitempty" mapstructure:"package-provider-credentials"`
+}
+
+var _ interface {
+	clio.PostLoader
+	clio.FieldDescriber
+} = (*dotnetConfig)(nil)
+
+func (o *dotnetConfig) PostLoad() error {
+	username, password :=
+		os.Getenv("SYFT_DOTNET_PACKAGE_PROVIDER_CREDENTIALS_USERNAME"),
+		os.Getenv("SYFT_DOTNET_PACKAGE_PROVIDER_CREDENTIALS_PASSWORD")
+
+	if username != "" && password != "" {
+		o.ProviderCredentials = append(o.ProviderCredentials, dotNetProviderCredential{
+			Username: secret(username),
+			Password: secret(password),
+		})
+	}
+	return nil
+}
+
+func (o *dotnetConfig) DescribeFields(descriptions clio.FieldDescriptionSet) {
+	descriptions.Add(&o.SearchLocalLicenses, `search for NuGet package licences in the local cache of the system running Syft, note that this is outside the
+container filesystem and probably outside the root of a local directory scan`)
+	descriptions.Add(&o.LocalCachePaths, `local cache folders (comma-separated) to use when retrieving NuGet packages locally, 
+if unset this defaults to the NuGet cache folders known to the DotNet environment`)
+	descriptions.Add(&o.SearchRemoteLicenses, `search for NuGet package licences by retrieving the package from a network proxy`)
+	descriptions.Add(&o.Providers, `remote NuGet package providers (comma-separated) to use when retrieving NuGet packages from the network, 
+if unset this defaults to the NuGet-repositories known to the DotNet environment`)
+	descriptions.Add(&o.ProviderCredentials, `remote NuGet package provider credentials to use when retrieving NuGet packages from the network.`)
+}
+
+func defaultDotnetConfig() dotnetConfig {
+	def := dotnet.DefaultCatalogerConfig()
+	providerCredentials := []dotNetProviderCredential{}
+	if len(def.ProviderCredentials) > 0 {
+		for _, credential := range def.ProviderCredentials {
+			providerCredentials = append(providerCredentials, dotNetProviderCredential{
+				Username: secret(credential.Username),
+				Password: secret(credential.Password),
+			})
+		}
+	}
+	return dotnetConfig{
+		SearchLocalLicenses:  nil,
+		LocalCachePaths:      strings.Join(def.LocalCachePaths, ","),
+		SearchRemoteLicenses: nil,
+		Providers:            strings.Join(def.Providers, ","),
+		ProviderCredentials:  providerCredentials,
+	}
+}

internal/task/package_tasks.go

@@ -47,6 +47,11 @@ const (
 	JavaScript = "javascript"
 	Node       = "node"
 	NPM        = "npm"
+
+	// Dotnet ecosystem labels
+	Dotnet           = "dotnet"
+	CSharp           = "c#"
+	CSharpWrittenOut = "csharp"
 )
 
 //nolint:funlen
@@ -73,7 +78,11 @@ func DefaultPackageTaskFactories() PackageTaskFactories {
 		// language-specific package declared catalogers ///////////////////////////////////////////////////////////////////////////
 		newSimplePackageTaskFactory(cpp.NewConanCataloger, pkgcataloging.DeclaredTag, pkgcataloging.DirectoryTag, pkgcataloging.LanguageTag, "cpp", "conan"),
 		newSimplePackageTaskFactory(dart.NewPubspecLockCataloger, pkgcataloging.DeclaredTag, pkgcataloging.DirectoryTag, pkgcataloging.LanguageTag, "dart"),
-		newSimplePackageTaskFactory(dotnet.NewDotnetDepsCataloger, pkgcataloging.DeclaredTag, pkgcataloging.DirectoryTag, pkgcataloging.LanguageTag, "dotnet", "c#"),
+		newPackageTaskFactory(
+			func(cfg CatalogingFactoryConfig) pkg.Cataloger {
+				return dotnet.NewDotnetDepsCataloger(cfg.PackagesConfig.DotNet)
+			},
+			pkgcataloging.DeclaredTag, pkgcataloging.DirectoryTag, pkgcataloging.LanguageTag, Dotnet, CSharp, CSharpWrittenOut),
 		newSimplePackageTaskFactory(elixir.NewMixLockCataloger, pkgcataloging.DeclaredTag, pkgcataloging.DirectoryTag, pkgcataloging.LanguageTag, "elixir"),
 		newSimplePackageTaskFactory(erlang.NewRebarLockCataloger, pkgcataloging.DeclaredTag, pkgcataloging.DirectoryTag, pkgcataloging.LanguageTag, "erlang"),
 		newSimplePackageTaskFactory(erlang.NewOTPCataloger, pkgcataloging.DeclaredTag, pkgcataloging.DirectoryTag, pkgcataloging.LanguageTag, "erlang", "otp"),
@@ -114,7 +123,12 @@ func DefaultPackageTaskFactories() PackageTaskFactories {
 		newSimplePackageTaskFactory(ocaml.NewOpamPackageManagerCataloger, pkgcataloging.DeclaredTag, pkgcataloging.DirectoryTag, pkgcataloging.LanguageTag, "ocaml", "opam"),
 
 		// language-specific package for both image and directory scans (but not necessarily declared) ////////////////////////////////////////
-		newSimplePackageTaskFactory(dotnet.NewDotnetPortableExecutableCataloger, pkgcataloging.DirectoryTag, pkgcataloging.InstalledTag, pkgcataloging.ImageTag, pkgcataloging.LanguageTag, "dotnet", "c#", "binary"),
+		newPackageTaskFactory(
+			func(cfg CatalogingFactoryConfig) pkg.Cataloger {
+				return dotnet.NewDotnetPortableExecutableCataloger(cfg.PackagesConfig.DotNet)
+			},
+			pkgcataloging.DirectoryTag, pkgcataloging.InstalledTag, pkgcataloging.ImageTag, pkgcataloging.LanguageTag, Dotnet, CSharp, CSharpWrittenOut, "binary",
+		),
 		newSimplePackageTaskFactory(python.NewInstalledPackageCataloger, pkgcataloging.DirectoryTag, pkgcataloging.InstalledTag, pkgcataloging.ImageTag, pkgcataloging.LanguageTag, "python"),
 		newPackageTaskFactory(
 			func(cfg CatalogingFactoryConfig) pkg.Cataloger {

syft/cataloging/pkgcataloging/config.go

@@ -2,6 +2,7 @@ package pkgcataloging
 
 import (
 	"github.com/anchore/syft/syft/pkg/cataloger/binary"
+	"github.com/anchore/syft/syft/pkg/cataloger/dotnet"
 	"github.com/anchore/syft/syft/pkg/cataloger/golang"
 	"github.com/anchore/syft/syft/pkg/cataloger/java"
 	"github.com/anchore/syft/syft/pkg/cataloger/javascript"
@@ -12,6 +13,7 @@ import (
 type Config struct {
 	Binary      binary.ClassifierCatalogerConfig  `yaml:"binary" json:"binary" mapstructure:"binary"`
 	Golang      golang.CatalogerConfig            `yaml:"golang" json:"golang" mapstructure:"golang"`
+	DotNet      dotnet.CatalogerConfig            `yaml:"dotnet" json:"dotnet" mapstructure:"dotnet"`
 	JavaArchive java.ArchiveCatalogerConfig       `yaml:"java-archive" json:"java-archive" mapstructure:"java-archive"`
 	JavaScript  javascript.CatalogerConfig        `yaml:"javascript" json:"javascript" mapstructure:"javascript"`
 	LinuxKernel kernel.LinuxKernelCatalogerConfig `yaml:"linux-kernel" json:"linux-kernel" mapstructure:"linux-kernel"`
@@ -22,6 +24,7 @@ func DefaultConfig() Config {
 	return Config{
 		Binary:      binary.DefaultClassifierCatalogerConfig(),
 		Golang:      golang.DefaultCatalogerConfig(),
+		DotNet:      dotnet.DefaultCatalogerConfig(),
 		LinuxKernel: kernel.DefaultLinuxKernelCatalogerConfig(),
 		Python:      python.DefaultCatalogerConfig(),
 		JavaArchive: java.DefaultArchiveCatalogerConfig(),
@@ -38,6 +41,11 @@ func (c Config) WithGolangConfig(cfg golang.CatalogerConfig) Config {
 	return c
 }
 
+func (c Config) WithDotNetConfig(cfg dotnet.CatalogerConfig) Config {
+	c.DotNet = cfg
+	return c
+}
+
 func (c Config) WithJavascriptConfig(cfg javascript.CatalogerConfig) Config {
 	c.JavaScript = cfg
 	return c

syft/credential/simple_credential.go

@@ -0,0 +1,10 @@
+package credential
+
+type SimpleCredential struct {
+	Username string `yaml:"username" json:"username" mapstructure:"username"`
+	Password string `yaml:"password" json:"password" mapstructure:"password"`
+}
+
+func (pc SimpleCredential) Valid() bool {
+	return pc.Username != "" && pc.Password != ""
+}

syft/pkg/cataloger/dotnet/cataloger.go

@@ -8,14 +8,25 @@ import (
 	"github.com/anchore/syft/syft/pkg/cataloger/generic"
 )
 
+const (
+	dotnetDepsCatalogerName               = "dotnet-deps-cataloger"
+	dotnetPortableExecutableCatalogerName = "dotnet-portable-executable-cataloger"
+)
+
 // NewDotnetDepsCataloger returns a new Dotnet cataloger object base on deps json files.
-func NewDotnetDepsCataloger() pkg.Cataloger {
-	return generic.NewCataloger("dotnet-deps-cataloger").
-		WithParserByGlobs(parseDotnetDeps, "**/*.deps.json")
+func NewDotnetDepsCataloger(opts CatalogerConfig) pkg.Cataloger {
+	c := dotnetDepsCataloger{
+		licenses: newNugetLicenseResolver(opts),
+	}
+	return generic.NewCataloger(dotnetDepsCatalogerName).
+		WithParserByGlobs(c.parseDotnetDeps, "**/*.deps.json")
 }
 
 // NewDotnetPortableExecutableCataloger returns a new Dotnet cataloger object base on portable executable files.
-func NewDotnetPortableExecutableCataloger() pkg.Cataloger {
-	return generic.NewCataloger("dotnet-portable-executable-cataloger").
-		WithParserByGlobs(parseDotnetPortableExecutable, "**/*.dll", "**/*.exe")
+func NewDotnetPortableExecutableCataloger(opts CatalogerConfig) pkg.Cataloger {
+	c := dotnetPortableExecutableCataloger{
+		licenses: newNugetLicenseResolver(opts),
+	}
+	return generic.NewCataloger(dotnetPortableExecutableCatalogerName).
+		WithParserByGlobs(c.parseDotnetPortableExecutable, "**/*.dll", "**/*.exe")
 }

syft/pkg/cataloger/dotnet/cataloger_test.go

@@ -17,15 +17,15 @@ func TestCataloger_Globs(t *testing.T) {
 		{
 			name:      "obtain deps.json files",
 			fixture:   "test-fixtures/glob-paths",
-			cataloger: NewDotnetDepsCataloger(),
+			cataloger: NewDotnetDepsCataloger(DefaultCatalogerConfig()),
 			expected: []string{
 				"src/something.deps.json",
 			},
 		},
 		{
 			name:      "obtain portable executable files",
 			fixture:   "test-fixtures/glob-paths",
-			cataloger: NewDotnetPortableExecutableCataloger(),
+			cataloger: NewDotnetPortableExecutableCataloger(DefaultCatalogerConfig()),
 			expected: []string{
 				"src/something.dll",
 				"src/something.exe",