feat: update syft to v0.74.0 & add support for Docker scanning on ARM (#468)

Co-authored-by: Jamie Magee <jamagee@microsoft.com>
2023-03-08 14:51:58 -08:00 · 2023-03-08 14:51:58 -08:00 · 03dc854992
--- a/docs/update-syft.md
+++ b/docs/update-syft.md
@ -12,40 +12,19 @@ To do this:
    ```

 2. Find the [latest version of Syft][2]
-3. Pull the latest container image
+3. Install [Skopeo][3]
+4. Use [`skopeo`][4] to copy the manifest and images to our Azure Container Registry:

    ```
-    $ docker pull docker.io/anchore/syft:v{LATEST}
-    v0.53.4: Pulling from anchore/syft
-    0d60d5ab2113: Pull complete
-    26136f3e3dd3: Pull complete
-    497aa7f04842: Pull complete
-    Digest: sha256:37e85e8efdeaabb1b6f65c5bc175b664cb05d1aaddd0d922130b8e25d6e49726
-    Status: Downloaded newer image for anchore/syft:v{LATEST}
-    docker.io/anchore/syft:v{LATEST}
+    skopeo copy --all docker://docker.io/anchore/syft:{LATEST} docker://governancecontainerregistry.azurecr.io/syft:{LATEST}
    ```

-4. Retag the container image
-
-    ```
-    $ docker tag docker.io/anchore/syft:v{LATEST} governancecontainerregistry.azurecr.io/syft:v{LATEST}
-    ```
-   
-5. Push the new image to the registry
-
-    ```
-    $ docker push governancecontainerregistry.azurecr.io/syft:v{LATEST}
-    The push refers to repository [governancecontainerregistry.azurecr.io/syft]
-    9c858c120b14: Pushed
-    840f3b941d62: Pushed
-    21ce82bb7448: Pushed
-    v{LATEST: digest: sha256:04ed9c717a814fdccf52758b67333632a0ff16840fc393f5fba5864285eaebbe size: 945
-    ```
-
-6. Update the container reference in [`LinuxScanner`][3]
-7. Update [the models][4] that map the Syft output
+5. Update the container reference in [`LinuxScanner`][5]
+6. Update [the models][6] that map the Syft output

 [1]: https://github.com/anchore/syft
 [2]: https://github.com/anchore/syft/releases/latest
-[3]: https://github.com/microsoft/component-detection/blob/aaf865e38112fb2448f5866ab06d5898358403f6/src/Microsoft.ComponentDetection.Detectors/linux/LinuxScanner.cs#L20
-[4]: https://github.com/microsoft/component-detection/blob/main/src/Microsoft.ComponentDetection.Detectors/linux/Contracts/SyftOutput.cs
+[3]: https://github.com/containers/skopeo/blob/main/install.md
+[4]: https://github.com/containers/skopeo
+[5]: https://github.com/microsoft/component-detection/blob/aaf865e38112fb2448f5866ab06d5898358403f6/src/Microsoft.ComponentDetection.Detectors/linux/LinuxScanner.cs#L20
+[6]: https://github.com/microsoft/component-detection/blob/main/src/Microsoft.ComponentDetection.Detectors/linux/Contracts/SyftOutput.cs
--- a/src/Microsoft.ComponentDetection.Detectors/linux/Contracts/SyftOutput.cs
+++ b/src/Microsoft.ComponentDetection.Detectors/linux/Contracts/SyftOutput.cs
@ -11,33 +11,33 @@ using System.Collections.Generic;

 public partial class SyftOutput
 {
-    public Relationship[] ArtifactRelationships { get; set; }
-    public Package[] Artifacts { get; set; }
+    public ArtifactRelationshipElement[] ArtifactRelationships { get; set; }
+    public ArtifactElement[] Artifacts { get; set; }
    public Descriptor Descriptor { get; set; }
-    public LinuxRelease Distro { get; set; }
-    public File[] Files { get; set; }
+    public Distro Distro { get; set; }
+    public FileElement[] Files { get; set; }
    public Schema Schema { get; set; }
-    public Secrets[] Secrets { get; set; }
-    public Source Source { get; set; }
+    public SyftOutputSecret[] Secrets { get; set; }
+    public SourceClass Source { get; set; }
 }

-public partial class Relationship
+public partial class ArtifactRelationshipElement
 {
    public string Child { get; set; }
-    public ConfigurationUnion? Metadata { get; set; }
+    public object Metadata { get; set; }
    public string Parent { get; set; }
    public string Type { get; set; }
 }

-public partial class Package
+public partial class ArtifactElement
 {
    public string[] Cpes { get; set; }
    public string FoundBy { get; set; }
    public string Id { get; set; }
    public string Language { get; set; }
    public string[] Licenses { get; set; }
-    public Coordinates[] Locations { get; set; }
-    public Metadata Metadata { get; set; }
+    public LocationElement[] Locations { get; set; }
+    public MetadataClass Metadata { get; set; }
    public string MetadataType { get; set; }
    public string Name { get; set; }
    public string Purl { get; set; }
@ -45,19 +45,19 @@ public partial class Package
    public string Version { get; set; }
 }

-public partial class Coordinates
+public partial class LocationElement
 {
    public string LayerId { get; set; }
    public string Path { get; set; }
 }

-public partial class Metadata
+public partial class MetadataClass
 {
    public string Architecture { get; set; }
-    public AlpmFileRecord[] Backup { get; set; }
+    public BackupElement[] Backup { get; set; }
    public string Basepackage { get; set; }
    public string Description { get; set; }
-    public FileUnion[] Files { get; set; }
+    public File[] Files { get; set; }
    public License? License { get; set; }
    public string Package { get; set; }
    public string Packager { get; set; }
@ -70,16 +70,26 @@ public partial class Metadata
    public long? InstalledSize { get; set; }
    public string Maintainer { get; set; }
    public string OriginPackage { get; set; }
+    public string[] Provides { get; set; }
    public string PullChecksum { get; set; }
-    public string PullDependencies { get; set; }
+    public string[] PullDependencies { get; set; }
+    public MatchElement[] Matches { get; set; }
    public string Checksum { get; set; }
    public string[] Dependencies { get; set; }
    public string Name { get; set; }
    public SourceUnion? Source { get; set; }
+    public string BuildRequires { get; set; }
+    public string Context { get; set; }
+    public Dictionary<string, string> Options { get; set; }
+    public string PackageId { get; set; }
+    public string Path { get; set; }
+    public string Prev { get; set; }
+    public string PyRequires { get; set; }
+    public string Ref { get; set; }
+    public string Requires { get; set; }
    public string HostedUrl { get; set; }
    public string VcsUrl { get; set; }
    public string HashPath { get; set; }
-    public string Path { get; set; }
    public string Sha512 { get; set; }
    public string SourceVersion { get; set; }
    public Author[] Authors { get; set; }
@ -89,14 +99,22 @@ public partial class Metadata
    public string GoCompiledVersion { get; set; }
    public string H1Digest { get; set; }
    public string MainModule { get; set; }
-    public Digest[] Digest { get; set; }
-    public JavaManifest Manifest { get; set; }
+    public string PkgHash { get; set; }
+    public string SnapshotUrl { get; set; }
+    public DigestElement[] Digest { get; set; }
+    public Manifest Manifest { get; set; }
    public PomProject PomProject { get; set; }
    public PomProperties PomProperties { get; set; }
    public string VirtualPath { get; set; }
+    public string Kb { get; set; }
+    public string ProductId { get; set; }
+    public string PkgHashExt { get; set; }
    public string Author { get; set; }
+    public bool? Private { get; set; }
+    public string Integrity { get; set; }
+    public string Resolved { get; set; }
    public string[] Bin { get; set; }
-    public PhpComposerExternalReference Dist { get; set; }
+    public Dist Dist { get; set; }
    public string[] Keywords { get; set; }
    public string NotificationUrl { get; set; }
    public Dictionary<string, string> Provide { get; set; }
@ -106,26 +124,29 @@ public partial class Metadata
    public string Time { get; set; }
    public string Type { get; set; }
    public string AuthorEmail { get; set; }
-    public PythonDirectUrlOriginInfo DirectUrlOrigin { get; set; }
+    public DirectUrlOrigin DirectUrlOrigin { get; set; }
    public string Platform { get; set; }
    public string SitePackagesRootPath { get; set; }
    public string[] TopLevelPackages { get; set; }
+    public string[] Hashes { get; set; }
+    public string Index { get; set; }
    public long? Epoch { get; set; }
+    public string ModularityLabel { get; set; }
    public string Release { get; set; }
    public string SourceRpm { get; set; }
    public string Vendor { get; set; }
 }

-public partial class PhpComposerAuthors
+public partial class AuthorClass
 {
    public string Email { get; set; }
    public string Homepage { get; set; }
    public string Name { get; set; }
 }

-public partial class AlpmFileRecord
+public partial class BackupElement
 {
-    public Digest[] Digest { get; set; }
+    public DigestElement[] Digest { get; set; }
    public string Gid { get; set; }
    public string Link { get; set; }
    public string Path { get; set; }
@ -135,20 +156,20 @@ public partial class AlpmFileRecord
    public string Uid { get; set; }
 }

-public partial class Digest
+public partial class DigestElement
 {
    public string Algorithm { get; set; }
    public string Value { get; set; }
 }

-public partial class PythonDirectUrlOriginInfo
+public partial class DirectUrlOrigin
 {
    public string CommitId { get; set; }
    public string Url { get; set; }
    public string Vcs { get; set; }
 }

-public partial class PhpComposerExternalReference
+public partial class Dist
 {
    public string Reference { get; set; }
    public string Shasum { get; set; }
@ -156,9 +177,9 @@ public partial class PhpComposerExternalReference
    public string Url { get; set; }
 }

-public partial class FileRecord
+public partial class FileFile
 {
-    public DigestUnion? Digest { get; set; }
+    public Digest? Digest { get; set; }
    public string Gid { get; set; }
    public string Link { get; set; }
    public string Path { get; set; }
@ -176,31 +197,44 @@ public partial class FileRecord
    public string UserName { get; set; }
 }

-public partial class PurpleDigest
+public partial class PurpleSyftOutpu
 {
    public string Algorithm { get; set; }
    public string Value { get; set; }
 }

-public partial class JavaManifest
+public partial class Manifest
 {
    public Dictionary<string, string> Main { get; set; }
    public Dictionary<string, Dictionary<string, string>> NamedSections { get; set; }
 }

+public partial class MatchElement
+{
+    public string Classifier { get; set; }
+    public Location Location { get; set; }
+}
+
+public partial class Location
+{
+    public string LayerId { get; set; }
+    public string Path { get; set; }
+    public string VirtualPath { get; set; }
+}
+
 public partial class PomProject
 {
    public string ArtifactId { get; set; }
    public string Description { get; set; }
    public string GroupId { get; set; }
    public string Name { get; set; }
-    public PomParent Parent { get; set; }
+    public Parent Parent { get; set; }
    public string Path { get; set; }
    public string Url { get; set; }
    public string Version { get; set; }
 }

-public partial class PomParent
+public partial class Parent
 {
    public string ArtifactId { get; set; }
    public string GroupId { get; set; }
@ -219,12 +253,12 @@ public partial class PomProperties

 public partial class Descriptor
 {
-    public ConfigurationUnion? Configuration { get; set; }
+    public object Configuration { get; set; }
    public string Name { get; set; }
    public string Version { get; set; }
 }

-public partial class LinuxRelease
+public partial class Distro
 {
    public string BugReportUrl { get; set; }
    public string BuildId { get; set; }
@ -237,6 +271,7 @@ public partial class LinuxRelease
    public string Name { get; set; }
    public string PrettyName { get; set; }
    public string PrivacyPolicyUrl { get; set; }
+    public string SupportEnd { get; set; }
    public string SupportUrl { get; set; }
    public string Variant { get; set; }
    public string VariantId { get; set; }
@ -245,23 +280,16 @@ public partial class LinuxRelease
    public string VersionId { get; set; }
 }

-public partial class File
+public partial class FileElement
 {
-    public Classification[] Classifications { get; set; }
    public string Contents { get; set; }
-    public Digest[] Digests { get; set; }
+    public DigestElement[] Digests { get; set; }
    public string Id { get; set; }
-    public Coordinates Location { get; set; }
-    public FileMetadataEntry Metadata { get; set; }
+    public LocationElement Location { get; set; }
+    public Metadata Metadata { get; set; }
 }

-public partial class Classification
-{
-    public string Class { get; set; }
-    public Dictionary<string, string> Metadata { get; set; }
-}
-
-public partial class FileMetadataEntry
+public partial class Metadata
 {
    public long GroupId { get; set; }
    public string LinkDestination { get; set; }
@ -277,13 +305,13 @@ public partial class Schema
    public string Version { get; set; }
 }

-public partial class Secrets
+public partial class SyftOutputSecret
 {
-    public Coordinates Location { get; set; }
-    public SearchResult[] SecretsSecrets { get; set; }
+    public LocationElement Location { get; set; }
+    public SecretSecret[] Secrets { get; set; }
 }

-public partial class SearchResult
+public partial class SecretSecret
 {
    public string Classification { get; set; }
    public long Length { get; set; }
@ -293,46 +321,29 @@ public partial class SearchResult
    public string Value { get; set; }
 }

-public partial class Source
+public partial class SourceClass
 {
-    public ConfigurationUnion Target { get; set; }
+    public string Id { get; set; }
+    public object Target { get; set; }
    public string Type { get; set; }
 }

-public partial struct ConfigurationUnion
-{
-    public object[] AnythingArray;
-    public Dictionary<string, object> AnythingMap;
-    public bool? Bool;
-    public double? Double;
-    public long? Integer;
-    public string String;
-
-    public static implicit operator ConfigurationUnion(object[] AnythingArray) => new ConfigurationUnion { AnythingArray = AnythingArray };
-    public static implicit operator ConfigurationUnion(Dictionary<string, object> AnythingMap) => new ConfigurationUnion { AnythingMap = AnythingMap };
-    public static implicit operator ConfigurationUnion(bool Bool) => new ConfigurationUnion { Bool = Bool };
-    public static implicit operator ConfigurationUnion(double Double) => new ConfigurationUnion { Double = Double };
-    public static implicit operator ConfigurationUnion(long Integer) => new ConfigurationUnion { Integer = Integer };
-    public static implicit operator ConfigurationUnion(string String) => new ConfigurationUnion { String = String };
-    public bool IsNull => this.AnythingArray == null && this.Bool == null && this.Double == null && this.Integer == null && this.AnythingMap == null && this.String == null;
-}
-
 public partial struct Author
 {
-    public PhpComposerAuthors PhpComposerAuthors;
+    public AuthorClass AuthorClass;
    public string String;

-    public static implicit operator Author(PhpComposerAuthors PhpComposerAuthors) => new Author { PhpComposerAuthors = PhpComposerAuthors };
+    public static implicit operator Author(AuthorClass AuthorClass) => new Author { AuthorClass = AuthorClass };
    public static implicit operator Author(string String) => new Author { String = String };
 }

-public partial struct DigestUnion
+public partial struct Digest
 {
-    public Digest[] DigestArray;
-    public PurpleDigest PurpleDigest;
+    public DigestElement[] DigestElementArray;
+    public PurpleSyftOutpu PurpleSyftOutpu;

-    public static implicit operator DigestUnion(Digest[] DigestArray) => new DigestUnion { DigestArray = DigestArray };
-    public static implicit operator DigestUnion(PurpleDigest PurpleDigest) => new DigestUnion { PurpleDigest = PurpleDigest };
+    public static implicit operator Digest(DigestElement[] DigestElementArray) => new Digest { DigestElementArray = DigestElementArray };
+    public static implicit operator Digest(PurpleSyftOutpu PurpleSyftOutpu) => new Digest { PurpleSyftOutpu = PurpleSyftOutpu };
 }

 public partial struct Size
@ -344,13 +355,13 @@ public partial struct Size
    public static implicit operator Size(string String) => new Size { String = String };
 }

-public partial struct FileUnion
+public partial struct File
 {
-    public FileRecord FileRecord;
+    public FileFile FileFile;
    public string String;

-    public static implicit operator FileUnion(FileRecord FileRecord) => new FileUnion { FileRecord = FileRecord };
-    public static implicit operator FileUnion(string String) => new FileUnion { String = String };
+    public static implicit operator File(FileFile FileFile) => new File { FileFile = FileFile };
+    public static implicit operator File(string String) => new File { String = String };
 }

 public partial struct License
@ -364,9 +375,9 @@ public partial struct License

 public partial struct SourceUnion
 {
-    public PhpComposerExternalReference PhpComposerExternalReference;
+    public Dist Dist;
    public string String;

-    public static implicit operator SourceUnion(PhpComposerExternalReference PhpComposerExternalReference) => new SourceUnion { PhpComposerExternalReference = PhpComposerExternalReference };
+    public static implicit operator SourceUnion(Dist Dist) => new SourceUnion { Dist = Dist };
    public static implicit operator SourceUnion(string String) => new SourceUnion { String = String };
 }
--- a/src/Microsoft.ComponentDetection.Detectors/linux/LinuxScanner.cs
+++ b/src/Microsoft.ComponentDetection.Detectors/linux/LinuxScanner.cs
@ -15,7 +15,7 @@ using Newtonsoft.Json;

 public class LinuxScanner : ILinuxScanner
 {
-    private const string ScannerImage = "governancecontainerregistry.azurecr.io/syft:v0.53.4@sha256:04ed9c717a814fdccf52758b67333632a0ff16840fc393f5fba5864285eaebbe";
+    private const string ScannerImage = "governancecontainerregistry.azurecr.io/syft:v0.74.0@sha256:5b186241c12047572d573116e6ff9305c83b2bb178d2e4ca556165e7f918c3dd";

    private static readonly IList<string> CmdParameters = new List<string>
    {