Support Swift Package Manager Package.resolved schema version 3

maxgip commented 2 months ago

What happened:

When running syft against a project using Swift Package Manager and a version 3 Package.resolved file, an error occured (error=unknown swift package manager version, 3.000000 location=/Package.resolved) and the sbom output was incomplete:

swift-embedded-examples(main*)$ syft scan ./stm32-neopixel -o cyclonedx-json=sbom.json
 ✔ Indexed file system                                                                                                                                  stm32-neopixel
 ✔ Cataloged contents                                                                                 6ba85f929a0d558c5687b1245352e16c6ee8aa429acbdff263954992966a54e8
   ├── ✔ Packages                        [0 packages]
   └── ✔ Executables                     [0 executables]
[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
[0000]  WARN cataloger failed cataloger=swift-package-manager-cataloger error=unknown swift package manager version, 3.000000 location=/Package.resolved
swift-embedded-examples(main*)$ cat sbom.json | jq
{
  "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "serialNumber": "urn:uuid:75f909ea-e5a5-49d9-9e9e-73bb23a611a7",
{
  "version": 1,
  "metadata": {
    "timestamp": "2024-04-08T10:23:55-04:00",
    "tools": {
      "components": [
        {
          "type": "application",
          "author": "anchore",
          "name": "syft",
          "version": "1.1.1"
        }
      ]
    },
    "component": {
      "bom-ref": "06497d32a1d71b4c",
      "type": "file",
      "name": "./stm32-neopixel"
    }
  }
}

What you expected to happen:

No error, and syft to output similar to how it does for version 2 schemas:

swift-embedded-examples(main*)$ sed -i '' 's/"version" : 3/"version" : 2/g' ./stm32-neopixel/Package.resolved
swift-embedded-examples(main*)$ cat sbom.json | jq
{
  "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "serialNumber": "urn:uuid:9425d61f-4b4c-47c5-a89c-10931bd6a394",
  "version": 1,
  "metadata": {
    "timestamp": "2024-04-08T12:39:05-04:00",
    "tools": {
      "components": [
        {
          "type": "application",
          "author": "anchore",
          "name": "syft",
          "version": "1.1.1"
        }
      ]
    },
    "component": {
      "bom-ref": "06497d32a1d71b4c",
      "type": "file",
      "name": "./stm32-neopixel"
    }
  },
  "components": [
    {
      "bom-ref": "bb99f90ca71781af",
      "type": "library",
      "name": "swift-mmio",
      "cpe": "cpe:2.3:a:swift-mmio:swift-mmio:*:*:*:*:*:*:*:*",
      "purl": "pkg:swift/github.com/apple/swift-mmio/swift-mmio",
      "properties": [
        {
          "name": "syft:package:foundBy",
          "value": "swift-package-manager-cataloger"
        },
        {
          "name": "syft:package:language",
          "value": "swift"
        },
        {
          "name": "syft:package:type",
          "value": "swift"
        },
        {
          "name": "syft:package:metadataType",
          "value": "swift-package-manager-lock-entry"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:swift-mmio:swift_mmio:*:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:swift_mmio:swift-mmio:*:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:swift_mmio:swift_mmio:*:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:swift:swift-mmio:*:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:swift:swift_mmio:*:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:location:0:path",
          "value": "/Package.resolved"
        }
      ]
    },
    {
      "bom-ref": "pkg:swift/github.com/apple/swift-syntax.git/swift-syntax@509.1.1?package-id=5acf2719119adbdb",
      "type": "library",
      "name": "swift-syntax",
      "version": "509.1.1",
      "cpe": "cpe:2.3:a:swift-syntax:swift-syntax:509.1.1:*:*:*:*:*:*:*",
      "purl": "pkg:swift/github.com/apple/swift-syntax.git/swift-syntax@509.1.1",
      "properties": [
        {
          "name": "syft:package:foundBy",
          "value": "swift-package-manager-cataloger"
        },
        {
          "name": "syft:package:language",
          "value": "swift"
        },
        {
          "name": "syft:package:type",
          "value": "swift"
        },
        {
          "name": "syft:package:metadataType",
          "value": "swift-package-manager-lock-entry"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:swift-syntax:swift_syntax:509.1.1:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:swift_syntax:swift-syntax:509.1.1:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:swift_syntax:swift_syntax:509.1.1:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:swift:swift-syntax:509.1.1:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:swift:swift_syntax:509.1.1:*:*:*:*:*:*:*"
        },
        {
          "name": "syft:location:0:path",
          "value": "/Package.resolved"
        }
      ]
    }
  ]
}

Steps to reproduce the issue:

From a repo using SPM and Package.resolved version 3 (I used stm32-neopixel folder in https://github.com/apple/swift-embedded-examples), run syft:

git clone https://github.com/apple/swift-embedded-examples.git
cd swift-embedded-examples
syft scan ./stm32-neopixel -o cyclonedx-json=sbom.json

Anything else we need to know?:

The V3 schema looks like a superset of V2, just has an additional (optional) originHash key:

https://github.com/apple/swift-package-manager/blob/f4ab9a43f3cfbb8f184043435f925b67b0070f36/Sources/PackageGraph/PinsStore.swift#L386-L484

Environment:

Output of syft version:

$ syft version
Application: syft
Version:    1.1.1
BuildDate:  2024-04-04T14:52:45Z
GitCommit:  1e31356c49bf2c30fd80c833482e1fbe4133ff83
GitDescription: v1.1.1
Platform:   darwin/arm64
GoVersion:  go1.21.8
Compiler:   gc

OS (e.g: cat /etc/os-release or similar):

$ sw_vers
ProductName:      macOS
ProductVersion:       14.4.1
BuildVersion:     23E224

kzantow commented 2 months ago

Here's an example file from that repository: https://github.com/apple/swift-embedded-examples/blob/main/stm32-neopixel/Package.resolved

tgerla commented 2 months ago

Hi @maxgip, thanks for the report! We'll put this in the backlog for the future. If you're interested in working on it, please let us know and we can help get you started.

anchore / syft

Support Swift Package Manager Package.resolved schema version 3 #2759