Merge branch 'main' into kubecon-draft

* main: (45 commits)
  feat: add RelationshipsBySourceOwnership to syft json output (#1248)
  fix: reset merged package into map; (#1258)
  refactor: Remove experimental Anchore Enterprise upload functionality (#1257)
  Update syft bootstrap tools to latest versions. (#1254)
  Update Stereoscope to d24c9d626b33fa720210b007a20767801827b532 (#1253)
  Update syft bootstrap tools to latest versions. (#1244)
  fix apkdb checksum representation (#1247)
  feat: add identifiable field to source object (#1243)
  feat: attest support for Singularity images (#1201)
  Update syft bootstrap tools to latest versions. (#1239)
  Update Stereoscope to 1b1b744a919964f38d14e1416fb3f25221b761ce (#1240)
  fix: Follow symlinks when searching for globs in all-layers scope (#1221)
  update requires to use list; remove field (#1234)
  Add Conan (C/C++) conan.lock file support (#1230)
  add sequence diagrams and flesh out TODO notes (#1233)
  Do not fail if unable to parse `.rpm` file (#1232)
  fix: support exclude patterns on Windows (#1228)
  Update syft bootstrap tools to latest versions. (#1225)
  Update Stereoscope to 56552770e555d764ea72b99d3c810326b27ead4a (#1224)
  Update syft bootstrap tools to latest versions. (#1223)
  ...

Signed-off-by: Christopher Phillips <[email protected]>

.bouncer.yaml

@@ -11,6 +11,13 @@ ignore-packages:
   # packageurl-go is released under the MIT license located in the root of the repo at /mit.LICENSE
   - github.com/anchore/packageurl-go
 
+  # both of these dependencies are specified as Apache-2.0 in their respective GitHub READMEs
+  - github.com/alibabacloud-go/cr-20160607/client
+  - github.com/alibabacloud-go/tea-xml/service
+
+  # crypto/internal/boring is released under the openSSL license as a part of the Golang Standard Libary
+  - crypto/internal/boring
+
   # from: https://github.com/spdx/tools-golang/blob/main/LICENSE.code
   # The tools-golang source code is provided and may be used, at your option,
   # under either:

.github/workflows/update-bootstrap-tools.yml

@@ -26,6 +26,7 @@ jobs:
           BOUNCER_LATEST_VERSION=$(go list -m -json github.com/wagoodman/go-bouncer@latest 2>/dev/null | jq -r '.Version')
           CHRONICLE_LATEST_VERSION=$(go list -m -json github.com/anchore/chronicle@latest 2>/dev/null | jq -r '.Version')
           GORELEASER_LATEST_VERSION=$(go list -m -json github.com/goreleaser/goreleaser@latest 2>/dev/null | jq -r '.Version')
+          GOSIMPORTS_LATEST_VERSION=$(go list -m -json github.com/rinchsan/gosimports@latest 2>/dev/null | jq -r '.Version')
           YAJSV_LATEST_VERSION=$(go list -m -json github.com/neilpa/yajsv@latest 2>/dev/null | jq -r '.Version')
           COSIGN_LATEST_VERSION=$(go list -m -json github.com/sigstore/cosign@latest 2>/dev/null | jq -r '.Version')
           
@@ -34,6 +35,7 @@ jobs:
           sed -r -i -e 's/^(BOUNCER_VERSION = ).*/\1'${BOUNCER_LATEST_VERSION}'/' Makefile
           sed -r -i -e 's/^(CHRONICLE_VERSION = ).*/\1'${CHRONICLE_LATEST_VERSION}'/' Makefile
           sed -r -i -e 's/^(GORELEASER_VERSION = ).*/\1'${GORELEASER_LATEST_VERSION}'/' Makefile
+          sed -r -i -e 's/^(GOSIMPORTS_VERSION = ).*/\1'${GOSIMPORTS_LATEST_VERSION}'/' Makefile
           sed -r -i -e 's/^(YAJSV_VERSION = ).*/\1'${YAJSV_LATEST_VERSION}'/' Makefile
           sed -r -i -e 's/^(COSIGN_VERSION = ).*/\1'${COSIGN_LATEST_VERSION}'/' Makefile
           
@@ -46,6 +48,7 @@ jobs:
           echo "::set-output name=BOUNCER::$BOUNCER_LATEST_VERSION"
           echo "::set-output name=CHRONICLE::$CHRONICLE_LATEST_VERSION"
           echo "::set-output name=GORELEASER::$GORELEASER_LATEST_VERSION"
+          echo "::set-output name=GOSIMPORTS::$GOSIMPORTS_LATEST_VERSION"
           echo "::set-output name=YAJSV::$YAJSV_LATEST_VERSION"
           echo "::set-output name=COSIGN::$COSIGN_LATEST_VERSION"
         id: latest-versions
@@ -69,6 +72,7 @@ jobs:
             - [bouncer ${{ steps.latest-versions.outputs.BOUNCER }}](https://github.com/wagoodman/go-bouncer/releases/tag/${{ steps.latest-versions.outputs.BOUNCER }})
             - [chronicle ${{ steps.latest-versions.outputs.CHRONICLE }}](https://github.com/anchore/chronicle/releases/tag/${{ steps.latest-versions.outputs.CHRONICLE }})
             - [goreleaser ${{ steps.latest-versions.outputs.GORELEASER }}](https://github.com/goreleaser/goreleaser/releases/tag/${{ steps.latest-versions.outputs.GORELEASER }})
+            - [gosimports ${{ steps.latest-versions.outputs.GOSIMPORTS }}](https://github.com/rinchsan/gosimports/releases/tag/${{ steps.latest-versions.outputs.GOSIMPORTS }})
             - [yajsv ${{ steps.latest-versions.outputs.YAJSV }}](https://github.com/neilpa/yajsv/releases/tag/${{ steps.latest-versions.outputs.YAJSV }})
             - [cosign ${{ steps.latest-versions.outputs.COSIGN }}](https://github.com/sigstore/cosign/releases/tag/${{ steps.latest-versions.outputs.COSIGN }})  
             This is an auto-generated pull request to update all of the bootstrap tools to the latest versions.

.github/workflows/validations.yaml

@@ -95,6 +95,16 @@ jobs:
           path: syft/pkg/cataloger/java/test-fixtures/java-builds/packages
           key: ${{ runner.os }}-unit-java-cache-${{ hashFiles( 'syft/pkg/cataloger/java/test-fixtures/java-builds/packages.fingerprint' ) }}
 
+      - name: Build cache key for rpm test-fixture blobs (for unit tests)
+        run: make rpm-binaries-fingerprint
+
+      - name: Restore RPM test-fixture cache
+        id: unit-rpm-cache
+        uses: actions/[email protected]
+        with:
+          path: syft/pkg/cataloger/rpm/test-fixtures/rpms
+          key: ${{ runner.os }}-unit-rpm-cache-${{ hashFiles( 'syft/pkg/cataloger/rpm/test-fixtures/rpms.fingerprint' ) }}
+
       - name: Build cache key for go binary test-fixture blobs (for unit tests)
         run: make go-binaries-fingerprint
 

.golangci.yaml

@@ -10,7 +10,6 @@ linters:
   enable:
     - asciicheck
     - bodyclose
-    - deadcode
     - depguard
     - dogsled
     - dupl
@@ -22,7 +21,6 @@ linters:
     - gocritic
     - gocyclo
     - gofmt
-    - goimports
     - goprintffuncname
     - gosec
     - gosimple
@@ -32,23 +30,22 @@ linters:
     - nakedret
     - nolintlint
     - revive
-    - rowserrcheck
     - staticcheck
-    - structcheck
     - stylecheck
     - typecheck
     - unconvert
     - unparam
     - unused
-    - varcheck
     - whitespace
 
 # do not enable...
 #    - gochecknoglobals
 #    - gochecknoinits    # this is too aggressive
+#    - rowserrcheck disabled per generics https://github.com/golangci/golangci-lint/issues/2649
 #    - godot
 #    - godox
 #    - goerr113
+#    - goimports   # we're using gosimports now instead to account for extra whitespaces (see https://github.com/golang/go/issues/20818)
 #    - golint      # deprecated
 #    - gomnd       # this is too aggressive
 #    - interfacer  # this is a good idea, but is no longer supported and is prone to false positives

DEVELOPING.md

@@ -3,22 +3,143 @@
 ## Getting started
 
 In order to test and develop in this repo you will need the following dependencies installed:
+- Golang
 - docker
 - make
 
-After cloning do the following:
+After cloning the following step can help you get setup:
 1. run `make bootstrap` to download go mod dependencies, create the `/.tmp` dir, and download helper utilities.
-2. run `make` to run linting, tests, and other verifications to make certain everything is working alright.
-
-Checkout `make help` to see what other actions you can take.
+2. run `make` to view the selection of developer commands in the Makefile
+3. run `make build` to build the release snapshot binaries and packages
+4. for an even quicker start you can run `go run cmd/syft/main.go` to print the syft help.
+	- this command `go run cmd/syft/main.go alpine:latest` will compile and run syft against `alpine:latest`
+5. view the README or syft help output for more output options
 
+#### Make output
 The main make tasks for common static analysis and testing are `lint`, `lint-fix`, `unit`, `integration`, and `cli`.
+```
+all                      Run all linux-based checks (linting, license check, unit, integration, and linux compare tests)
+benchmark                Run benchmark tests and compare against the baseline (if available)
+bootstrap                Download and install all tooling dependencies (+ prep tooling in the ./tmp dir)
+build                    Build release snapshot binaries and packages
+check-licenses           Ensure transitive dependencies are compliant with the current license policy
+clean-test-image-cache   Clean test image cache
+clean                    Remove previous builds, result reports, and test cache
+cli                      Run CLI tests
+compare-linux            Run compare tests on build snapshot binaries and packages (Linux)
+compare-mac              Run compare tests on build snapshot binaries and packages (Mac)
+generate-json-schema     Generate a new json schema
+generate-license-list    Generate an updated spdx license list
+help                     Display this help
+integration              Run integration tests
+lint-fix                 Auto-format all source code + run golangci lint fixers
+lint                     Run gofmt + golangci lint checks
+show-test-image-cache    Show all docker and image tar cache
+show-test-snapshots      Show all test snapshots
+snapshot-with-signing    Build snapshot release binaries and packages (with dummy signing)
+test                     Run all tests (currently unit, integration, linux compare, and cli tests)
+unit                     Run unit tests (with coverage)
+```
+
+## Architecture
+
+Syft is used to generate a Software Bill of Materials (SBOM) from different kinds of input.
+
+### Code organization for the cmd package
+Syft's entrypoint can be found in the `cmd` package at `cmd/syft/main.go`. `main.go` builds a new syft `cli` via `cli.New()` 
+and then executes the `cli` via `cli.Execute()`. The `cli` package is responsible for parsing command line arguments, 
+setting up the application context and configuration, and executing the application. Each of syft's commands 
+(e.g. `packages`, `attest`, `version`) are implemented as a `cobra.Command` in their respective `<command>.go` files. 
+They are registered in `syft/cli/commands/go`.
+```
+.
+└── syft/
+    ├── cli/
+    │   ├── attest/
+    │   ├── attest.go
+    │   ├── commands.go
+    │   ├── completion.go
+    │   ├── convert/
+    │   ├── convert.go
+    │   ├── eventloop/
+    │   ├── options/
+    │   ├── packages/
+    │   ├── packages.go
+    │   ├── poweruser/
+    │   ├── poweruser.go
+    │   └── version.go
+    └── main.go
+```
+
+#### Execution flow
+```mermaid
+sequenceDiagram
+    participant main as cmd/syft/main
+    participant cli as cli.New()
+    participant root as root.Execute()
+    participant cmd as <command>.Execute()
+
+    main->>+cli: 
+
+    Note right of cli: wire ALL CLI commands
+    Note right of cli: add flags for ALL commands
+
+    cli-->>-main:  root command 
+
+    main->>+root: 
+    root->>+cmd: 
+    cmd-->>-root: (error)  
 
-## Levels of testing
+    root-->>-main: (error) 
+
+    Note right of cmd: Execute SINGLE command from USER
+```
+
+### Code organization for syft library
+
+Syft's core library (see, exported) functionality is implemented in the `syft` package. The `syft` package is responsible for organizing the core
+SBOM data model, it's translated output formats, and the core SBOM generation logic.
+
+#### Organization and design notes for the syft library
+- analysis creates a static SBOM which can be encoded and decoded
+- format objects, should strive to not add or enrich data in encoding that could otherwise be done during analysis
+- package catalogers and their organization can be viewed/added to the `syft/pkg/cataloger` package 
+- file catalogers and their organization can be viewed/added to the `syft/file` package
+- The source package provides an abstraction to allow a user to loosely define a data source that can be cataloged
+- Logging Abstraction ...
+
+#### Code example of syft as a library
+Here is a gist of using syft as a library to generate a SBOM from a docker image: [link](https://gist.github.com/wagoodman/57ed59a6d57600c23913071b8470175b).
+The execution flow for the example is detailed below.
+
+#### Execution flow examples for the syft library
+```mermaid
+sequenceDiagram
+    participant source as source.New(ubuntu:latest)
+    participant sbom as sbom.SBOM
+    participant catalog as syft.CatalogPackages(src)
+    participant encoder as syft.Encode(sbom, format)
+
+    Note right of source: use "ubuntu:latest" as SBOM input
+
+    source-->>+sbom: add source to SBOM struct
+    source-->>+catalog: pass src to generate catalog
+    catalog-->-sbom: add cataloging results onto SBOM
+    sbom-->>encoder: pass SBOM and format desiered to syft encoder
+    encoder-->>source: return bytes that are the SBOM of the original input 
+
+    Note right of catalog: cataloger configuration is done based on src
+```
+
+
+
+## Testing
+
+### Levels of testing
 
 - `unit`: The default level of test which is distributed throughout the repo are unit tests. Any `_test.go` file that 
   does not reside somewhere within the `/test` directory is a unit test. Other forms of testing should be organized in 
-  the `/test` directory. These tests should focus on correctness of functionality in depth. % Test coverage metrics 
+  the `/test` directory. These tests should focus on correctness of functionality in depth. % test coverage metrics 
   only considers unit tests and no other forms of testing.
 
 - `integration`: located within `test/integration`, these tests focus on the behavior surfaced by the common library 
@@ -166,14 +287,4 @@ These flags are defined at the top of the test files that have tests that use th
 Snapshot testing is only as good as the manual verification of the golden snapshot file saved to the repo! Be careful 
 and diligent when updating these files.
 
-## Architecture
 
-TODO: outline:
-- analysis creates a static SBOM which can be encoded and decoded.
-- format objects, should strive to not add or enrich data in encoding that could otherwise be done during analysis
-- pkg.Catalogers
-- file catalogers
-- source.Source
-- file.Resolvers
-- logger abstraction 
-- events / bus abstraction