Reregister apk/dpkgs/rpm analyzers

Author: domust

README.md

@@ -1,6 +1,7 @@
 # image-analyzer
 OCI images analyzer
 
-This repository exists for 2 reasons:
+This repository exists for 3 reasons:
 - `github.com/castai/image-analyzer/image/daemon.Image` interface.
-- Having various analyzers bundled in a single module.
+- Having various analyzers bundled in a single module. [This didn't exist at the time of the fork](https://github.com/aquasecurity/trivy/blob/v0.50.1/pkg/fanal/analyzer/all/import.go)
+- `https://github.com/aquasecurity/trivy/tree/v0.50.1/pkg/fanal/analyzer/pkg/apk` analyzer not scanning installed binaries.

apk/apk.go

@@ -9,18 +9,20 @@ import (
 	"sort"
 	"strings"
 
-	"github.com/castai/image-analyzer/pathutil"
-	apkVersion "github.com/knqyf263/go-apk-version"
-	"github.com/samber/lo"
-	"golang.org/x/exp/slices"
-
 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
 	"github.com/aquasecurity/trivy/pkg/fanal/types"
 	"github.com/aquasecurity/trivy/pkg/licensing"
 	"github.com/aquasecurity/trivy/pkg/log"
+	apkVersion "github.com/knqyf263/go-apk-version"
+	"github.com/samber/lo"
+	"golang.org/x/exp/slices"
+
+	"github.com/castai/image-analyzer/pathutil"
 )
 
+// https://github.com/aquasecurity/trivy/blob/v0.50.1/pkg/fanal/analyzer/all/import.go
 func init() {
+	analyzer.DeregisterAnalyzer(analyzer.TypeApk) // prevents registering analyzer twice
 	analyzer.RegisterAnalyzer(&alpinePkgAnalyzer{})
 }
 

artifact.go

@@ -29,38 +29,7 @@ import (
 	"golang.org/x/exp/slices"
 	"golang.org/x/sync/semaphore"
 
-	_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/buildinfo"
-	_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/executable"
-	_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/imgconf/apk"
-	_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/c/conan"
-	_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/dotnet/deps"
-	_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/dotnet/nuget"
-	_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/golang/binary"
-	_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/golang/mod"
-	_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/java/gradle"
-	_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/java/jar"
-	_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/java/pom"
-	_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/nodejs/npm"
-	_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/nodejs/pkg"
-	_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/nodejs/pnpm"
-	_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/nodejs/yarn"
-	_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/php/composer"
-	_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/python/packaging"
-	_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/python/pip"
-	_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/python/pipenv"
-	_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/python/poetry"
-	_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/ruby/bundler"
-	_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/ruby/gemspec"
-	_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/rust/binary"
-	_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/rust/cargo"
-	_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/licensing"
-	_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/os/alpine"
-	_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/os/amazonlinux"
-	_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/os/debian"
-	_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/os/mariner"
-	_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/os/redhatbase"
-	_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/os/release"
-	_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/os/ubuntu"
+	_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/all"
 
 	_ "github.com/castai/image-analyzer/apk"
 	_ "github.com/castai/image-analyzer/dpkg"

dpkg/copyright.go

@@ -18,7 +18,9 @@ import (
 	"golang.org/x/xerrors"
 )
 
+// https://github.com/aquasecurity/trivy/blob/v0.50.1/pkg/fanal/analyzer/all/import.go
 func init() {
+	analyzer.DeregisterAnalyzer(analyzer.TypeDpkgLicense) // prevents registering analyzer twice
 	analyzer.RegisterAnalyzer(&dpkgLicenseAnalyzer{})
 }
 

go.mod

@@ -44,6 +44,7 @@ require (
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
 	github.com/AzureAD/microsoft-authentication-library-for-go v1.1.1 // indirect
 	github.com/BurntSushi/toml v1.3.2 // indirect
+	github.com/CycloneDX/cyclonedx-go v0.8.0 // indirect
 	github.com/GoogleCloudPlatform/docker-credential-gcr v2.0.5+incompatible // indirect
 	github.com/MakeNowJust/heredoc v1.0.0 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
@@ -58,6 +59,7 @@ require (
 	github.com/agext/levenshtein v1.2.3 // indirect
 	github.com/agnivade/levenshtein v1.1.1 // indirect
 	github.com/alecthomas/chroma v0.10.0 // indirect
+	github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 // indirect
 	github.com/apparentlymart/go-cidr v1.1.0 // indirect
 	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
 	github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798 // indirect
@@ -155,6 +157,7 @@ require (
 	github.com/hashicorp/hcl/v2 v2.19.1 // indirect
 	github.com/huandu/xstrings v1.4.0 // indirect
 	github.com/imdario/mergo v0.3.15 // indirect
+	github.com/in-toto/in-toto-golang v0.9.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
@@ -163,6 +166,7 @@ require (
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
 	github.com/klauspost/compress v1.17.2 // indirect
+	github.com/knqyf263/go-rpm-version v0.0.0-20220614171824-631e686d1075 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
 	github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
@@ -184,6 +188,7 @@ require (
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/go-testing-interface v1.14.1 // indirect
 	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
+	github.com/mitchellh/hashstructure/v2 v2.0.2 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/moby/buildkit v0.12.5 // indirect
@@ -219,9 +224,12 @@ require (
 	github.com/rubenv/sql-migrate v1.5.2 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/saracen/walker v0.1.3 // indirect
+	github.com/secure-systems-lab/go-securesystemslib v0.8.0 // indirect
 	github.com/sergi/go-diff v1.3.1 // indirect
+	github.com/shibumi/go-pathspec v1.3.0 // indirect
 	github.com/shopspring/decimal v1.3.1 // indirect
 	github.com/skeema/knownhosts v1.2.1 // indirect
+	github.com/spdx/tools-golang v0.5.4-0.20231108154018-0c0f394b5e1a // indirect
 	github.com/spf13/cast v1.6.0 // indirect
 	github.com/spf13/cobra v1.8.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
@@ -237,6 +245,7 @@ require (
 	github.com/yashtewari/glob-intersection v0.2.0 // indirect
 	github.com/zclconf/go-cty v1.14.1 // indirect
 	github.com/zclconf/go-cty-yaml v1.0.3 // indirect
+	go.etcd.io/bbolt v1.3.8 // indirect
 	go.opencensus.io v0.24.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.46.1 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1 // indirect