anchore / syft

CLI tool and library for generating a Software Bill of Materials from container images and filesystems
Apache License 2.0
6.3k stars 579 forks source link

cataloger: golang source cataloger #3451

Open spiffcs opened 1 week ago

spiffcs commented 1 week ago

What would you like to be added: A cataloger that is invoked on a directory scan for the Golang Ecosystem that discovers all **/go.mod files. The cataloger will use the main module at the top of the modfile and then load all the root packages via the Golang tools utilities found here golang.org/x/tools/go/packages.

These root packages will be created as syft packages for the SBOM. The cataloger will also visit all of the packages in the import graph whose roots are in the inital root package list. This will allow the cataloger to surface all direct and transitive dependencies for a given main module. Vendored dependencies also have the additional bonus of allowing for license discovery during this method since the modules dirPath is surfaced during its discovery by the x/tools/go/packages utility

Why is this needed:

More accurate Golang source cataloging. Currently we only parse the flat list from go.mod or dependency information from discovered go binaries. This new feature will give a more complete overview of all the modules imported by a go project. Some projects can have more than one go.mod file which could lead to "duplicate" dependencies being discovered during this process. It's important to include in the main package discovered the root parent so that it's obvious to consumers of the SBOM that these "duplicates" belong to different main modules.