search

anchore / syft

CLI tool and library for generating a Software Bill of Materials from container images and filesystems
Apache License 2.0
6.1k stars 561 forks source link

Support for Elixir programming language #774

Closed mbihoop closed 1 year ago

mbihoop commented 2 years ago

What would you like to be added:

Support for Elixir projects

Why is this needed:

Elixir is a popular programming language in security conscious environments (telecom, gaming, anything that requires low latency). Elixir already generates a SBOM which would be quite easy for you to parse, so it's likely a quick win for your product.

Additional context:

Elixir projects have a file at their project root called mix.lock which lists all the dependencies used for both compilation and run time :

An example of it's contents taken from inquisitivedeveloper.com look like the following: 

%{
  "certifi": {:hex, :certifi, "2.4.2", "75424ff0f3baaccfd34b1214184b6ef616d89e420b258bb0a5ea7d7bc628f7f0", [:rebar3], [{:parse_trans, "~>3.3", [hex: :parse_trans, repo: "hexpm", optional: false]}], "hexpm"},
  "hackney": {:hex, :hackney, "1.14.3", "b5f6f5dcc4f1fba340762738759209e21914516df6be440d85772542d4a5e412", [:rebar3], [{:certifi, "2.4.2", [hex: :certifi, repo: "hexpm", optional: false]}, {:idna, "6.0.0", [hex: :idna, repo: "hexpm", optional: false]}, {:metrics, "1.0.1", [hex: :metrics, repo: "hexpm", optional: false]}, {:mimerl, "1.0.2", [hex: :mimerl, repo: "hexpm", optional: false]}, {:ssl_verify_fun, "1.1.4", [hex: :ssl_verify_fun, repo: "hexpm", optional: false]}], "hexpm"},
  "httpoison": {:hex, :httpoison, "1.0.0", "1f02f827148d945d40b24f0b0a89afe40bfe037171a6cf70f2486976d86921cd", [:mix], [{:hackney, "~> 1.8", [hex: :hackney, repo: "hexpm", optional: false]}], "hexpm"},
  "idna": {:hex, :idna, "6.0.0", "689c46cbcdf3524c44d5f3dde8001f364cd7608a99556d8fbd8239a5798d4c10", [:rebar3], [{:unicode_util_compat, "0.4.1", [hex: :unicode_util_compat, repo: "hexpm", optional: false]}], "hexpm"},
  "metrics": {:hex, :metrics, "1.0.1", "25f094dea2cda98213cecc3aeff09e940299d950904393b2a29d191c346a8486", [:rebar3], [], "hexpm"},
  "mimerl": {:hex, :mimerl, "1.0.2", "993f9b0e084083405ed8252b99460c4f0563e41729ab42d9074fd5e52439be88", [:rebar3], [], "hexpm"},
  "parse_trans": {:hex, :parse_trans, "3.3.0", "09765507a3c7590a784615cfd421d101aec25098d50b89d7aa1d66646bc571c1", [], [], "hexpm"},
  "ssl_verify_fun": {:hex, :ssl_verify_fun, "1.1.4", "f0eafff810d2041e93f915ef59899c923f4568f4585904d010387ed74988e77b", [], [], "hexpm"},
  "unicode_util_compat": {:hex, :unicode_util_compat, "0.4.1", "d869e4c68901dd9531385bb0c8c40444ebf624e60b6962d95952775cac5e90cd", [], [], "hexpm"},
}

In the above example, the dependencies are all pulled down from the central Elixir package repository hex.pm, but it is commonly the case, particularly in projects with closed source, private dependencies that the dependencies will be fetched from github instead.

Here's an example taken from renderedtext/thrift-with-tackle with a lot of github dependencies: 

%{"amqp": {:hex, :amqp, "0.1.4", "5d9112c3a850234559073c23fda173364dfd11d8ce8d0138cd46f653fdc55f08", [:mix], [{:amqp_client, ">= 3.5.6", [hex: :amqp_client, optional: false]}]},
  "amqp_client": {:hex, :amqp_client, "3.5.6", "ed7e63122f32af1d503d134e6c1b088a0627e89c6b5c77b92984c841cb0939be", [:rebar], [{:rabbit_common, "3.5.6", [hex: :rabbit_common, optional: false]}]},
  "exlager": {:git, "https://github.com/khia/exlager.git", "78d4ebedf4ea1e31ad2aa202632172a4f775efa8", []},
  "goldrush": {:git, "git://github.com/DeadZen/goldrush.git", "212299233c7e7eb63a97be2777e1c05ebaa58dbe", [tag: "0.1.8"]},
  "lager": {:git, "https://github.com/basho/lager.git", "8187757388c9adc915379caaab36a2f2ca26e944", []},
  "meck": {:hex, :meck, "0.8.4", "59ca1cd971372aa223138efcf9b29475bde299e1953046a0c727184790ab1520", [:rebar, :make], []},
  "mock": {:git, "https://github.com/jjh42/mock.git", "7f2251f781f646a08bb65c85c215f107c9627435", []},
  "rabbit_common": {:hex, :rabbit_common, "3.5.6", "ad541be86f08cdb1c04320eb4353ad30f25555569c95cc062af28cf79b74d085", [:rebar], []},
  "riffed": {:git, "https://github.com/pinterest/riffed.git", "ca083d52d4ecfad822432da3925f644bc748f260", [tag: "1.0.0", submodules: true]},
  "tackle": {:git, "https://github.com/renderedtext/ex-tackle.git", "e545634d181220a28d84d823e4200a45328aa734", []},
  "thrift": {:git, "https://github.com/pinterest/elixir-thrift.git", "9c3871cc9568eaf23c701ae11dece7bb5790b8ab", [tag: "1.0.0", submodules: true]},
  "thrift_serializer": {:git, "https://github.com/renderedtext/ex-thrift-serializer.git", "3994d70c452ab426bab435033f5d060e1efe8088", []}}

One other that's worth mentioning is that Elixir projects will quite commonly use NodeJS to generate web artefacts so users will typically need to scan their project for both Elixir and NodeJS lock files.

jonasagx commented 2 years ago

Hi @mbihoop - thank you for the suggestion. You're welcome to work on this feature, and release it sooner, my team and I can assist with questions and reviews. In the mean time I will add it to our pipeline.

wagoodman commented 1 year ago

Hey @mbihoop , it looks like this has been implemented by https://github.com/anchore/syft/pull/1073 so I'll close this... though if there is a nuance about this issue that I missed that is different than that 1073 covered shout out and I'll reopen it.