kzantow
commented
2 weeks ago NOTE: I've made an experiment using YAML and go:embed for in-repo definitions, which could be fairly easily expanded to use additional rule sources such as an archive: https://github.com/kzantow-anchore/syft/tree/feat/regex-cataloger
What would you like to be added: Ability to distribute a ruleset separately from the Syft binary, which provides information to allow Syft to identify different pieces of software.
Why is this needed: In order to update the ruleset for the binary cataloger, a new Syft binary must be built containing the rules-as-golang-code. This means a new Syft release is necessary to add any rule definitions, and users of a specific version of Syft are stuck with the specific definitions baked into the binary.
Additional context: While adding a new classifier, it became apparent that having a single file where all the definitions reside (and a single file where all the configured test images reside) is not especially sustainable as the usage increases. Something that could help is to split definitions into separate files. While at it, we can change this from Go code and make this file format something that could easily be distributed.