wip: sbom generation

common/apt/sbom.go

@@ -0,0 +1,126 @@
+package apt
+
+import (
+	"context"
+	"fmt"
+	"github.com/anchore/syft/syft/artifact"
+	"github.com/anchore/syft/syft/file"
+	"github.com/anchore/syft/syft/pkg"
+	"github.com/buildpacks/libcnb"
+	"io"
+	"path"
+	"path/filepath"
+)
+
+var _ pkg.Cataloger = (*aptConfigurationCataloger)(nil)
+
+type aptConfigurationCataloger struct {
+	Layer libcnb.Layer
+}
+
+func NewAptConfigurationCataloger(layer libcnb.Layer) pkg.Cataloger {
+	return aptConfigurationCataloger{
+		Layer: layer,
+	}
+}
+
+func (m aptConfigurationCataloger) Name() string {
+	return "apt-packages-cataloger"
+}
+
+func (m aptConfigurationCataloger) Catalog(_ context.Context, resolver file.Resolver) ([]pkg.Package, []artifact.Relationship, error) {
+	//packages := GetPackages(filepath.Join(m.Layer.Path, "cache"))
+	//
+
+	fmt.Println(filepath.Join(m.Layer.Path, "cache", "archive"))
+	//version, versionLocations, err := getVersion(resolver)
+	//if err != nil {
+	//	return nil, nil, fmt.Errorf("unable to get apt version: %w", err)
+	//}
+	//if len(versionLocations) == 0 {
+	//	// this doesn't mean we should stop cataloging, just that we don't have a version to use, thus no package to raise up
+	//	return nil, nil, nil
+	//}
+	//
+	//metadata, metadataLocations, err := newAptConfiguration(resolver)
+	//if err != nil {
+	//	return nil, nil, err
+	//}
+	//
+	//var locations []file.Location
+	//locations = append(locations, versionLocations...)
+	//locations = append(locations, metadataLocations...)
+	//
+	//p := newPackage(name, version, *metadata, locations...)
+
+	return []pkg.Package{}, nil, nil
+}
+
+func newPackage(name string, version string, metadata AptConfiguration, locations ...file.Location) pkg.Package {
+	return pkg.Package{
+		Name:      name,
+		Version:   version,
+		Locations: file.NewLocationSet(locations...),
+		Type:      pkg.Type("apt"),
+		Metadata:  metadata,
+	}
+}
+
+func newAptConfiguration(resolver file.Resolver) (*AptConfiguration, []file.Location, error) {
+	var locations []file.Location
+
+	//keys, keyLocations, err := getAPKKeys(resolver)
+	//if err != nil {
+	//	return nil, nil, err
+	//}
+	//
+	//locations = append(locations, keyLocations...)
+
+	return &AptConfiguration{}, locations, nil
+}
+
+func getVersion(resolver file.Resolver) (string, []file.Location, error) {
+	locations, err := resolver.FilesByPath("/etc/apt-release")
+	if err != nil {
+		return "", nil, fmt.Errorf("unable to get apt version: %w", err)
+	}
+	if len(locations) == 0 {
+		return "", nil, nil
+	}
+
+	reader, err := resolver.FileContentsByLocation(locations[0])
+	if err != nil {
+		return "", nil, fmt.Errorf("unable to read apt version: %w", err)
+	}
+
+	version, err := io.ReadAll(reader)
+	if err != nil {
+		return "", nil, fmt.Errorf("unable to read apt version: %w", err)
+	}
+
+	return string(version), locations, nil
+}
+
+func getAPKKeys(resolver file.Resolver) (map[string]string, []file.Location, error) {
+	// name-to-content values
+	keyContent := make(map[string]string)
+
+	locations, err := resolver.FilesByGlob("/etc/apk/keys/*.rsa.pub")
+	if err != nil {
+		return nil, nil, fmt.Errorf("unable to get apk keys: %w", err)
+	}
+	for _, location := range locations {
+		basename := path.Base(location.RealPath)
+		reader, err := resolver.FileContentsByLocation(location)
+		content, err := io.ReadAll(reader)
+		if err != nil {
+			return nil, nil, fmt.Errorf("unable to read apk key content at %s: %w", location.RealPath, err)
+		}
+		keyContent[basename] = string(content)
+	}
+	return keyContent, locations, nil
+}
+
+type AptConfiguration struct {
+	// Add more data you want to capture as part of the package metadata here...
+}

common/sbom/generator.go

@@ -0,0 +1,41 @@
+package sbom
+
+import (
+	"context"
+	"crypto"
+	"github.com/anchore/syft/syft"
+	"github.com/anchore/syft/syft/cataloging/filecataloging"
+	"github.com/anchore/syft/syft/cataloging/pkgcataloging"
+	"github.com/anchore/syft/syft/file"
+	"github.com/anchore/syft/syft/pkg"
+	"github.com/anchore/syft/syft/sbom"
+)
+
+type Source struct {
+}
+
+func Generate(cataloger pkg.Cataloger) sbom.SBOM {
+	src, err := syft.GetSource(context.Background(), "", nil)
+
+	cfg := syft.DefaultCreateSBOMConfig().
+		//WithParallelism(5).
+		//WithTool("my-tool", "v1.0").
+		WithFilesConfig(
+			filecataloging.
+				DefaultConfig().
+				WithSelection(file.AllFilesSelection).
+				WithHashers(
+					crypto.MD5,
+					crypto.SHA1,
+					crypto.SHA256,
+				),
+		).
+		WithCatalogers(pkgcataloging.NewAlwaysEnabledCatalogerReference(cataloger))
+
+	s, err := syft.CreateSBOM(context.Background(), src, cfg)
+	if err != nil {
+		panic(err)
+	}
+
+	return *s
+}

go.mod

@@ -1,22 +1,196 @@
 module github.com/acodeninja/buildpacks
 
-go 1.22.1
+go 1.23.2
 
 require (
-	github.com/buildpacks/libcnb v1.30.3
-	github.com/fatih/color v1.16.0
-	github.com/paketo-buildpacks/libpak v1.69.1
+	github.com/BurntSushi/toml v1.4.0
+	github.com/anchore/syft v1.14.0
+	github.com/buildpacks/libcnb v1.30.4
+	github.com/paketo-buildpacks/libpak v1.72.0
 )
 
 require (
-	github.com/BurntSushi/toml v1.3.2 // indirect
-	github.com/Masterminds/semver/v3 v3.2.1 // indirect
-	github.com/creack/pty v1.1.21 // indirect
+	dario.cat/mergo v1.0.1 // indirect
+	github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect
+	github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0 // indirect
+	github.com/CycloneDX/cyclonedx-go v0.9.1 // indirect
+	github.com/DataDog/zstd v1.5.5 // indirect
+	github.com/Masterminds/goutils v1.1.1 // indirect
+	github.com/Masterminds/semver v1.5.0 // indirect
+	github.com/Masterminds/semver/v3 v3.3.0 // indirect
+	github.com/Masterminds/sprig/v3 v3.3.0 // indirect
+	github.com/Microsoft/go-winio v0.6.1 // indirect
+	github.com/Microsoft/hcsshim v0.11.4 // indirect
+	github.com/ProtonMail/go-crypto v1.0.0 // indirect
+	github.com/acobaugh/osrelease v0.1.0 // indirect
+	github.com/adrg/xdg v0.5.0 // indirect
+	github.com/anchore/clio v0.0.0-20240522144804-d81e109008aa // indirect
+	github.com/anchore/fangs v0.0.0-20240903175602-e716ef12c23d // indirect
+	github.com/anchore/go-collections v0.0.0-20240216171411-9321230ce537 // indirect
+	github.com/anchore/go-logger v0.0.0-20230725134548-c21dafa1ec5a // indirect
+	github.com/anchore/go-macholibre v0.0.0-20220308212642-53e6d0aaf6fb // indirect
+	github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 // indirect
+	github.com/anchore/go-version v1.2.2-0.20200701162849-18adb9c92b9b // indirect
+	github.com/anchore/packageurl-go v0.1.1-0.20240507183024-848e011fc24f // indirect
+	github.com/anchore/stereoscope v0.0.4-0.20241005180410-efa76446cc1c // indirect
+	github.com/andybalholm/brotli v1.0.4 // indirect
+	github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46 // indirect
+	github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492 // indirect
+	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
+	github.com/becheran/wildmatch-go v1.0.0 // indirect
+	github.com/bmatcuk/doublestar/v4 v4.6.1 // indirect
+	github.com/charmbracelet/lipgloss v0.13.0 // indirect
+	github.com/charmbracelet/x/ansi v0.2.3 // indirect
+	github.com/cloudflare/circl v1.3.8 // indirect
+	github.com/containerd/cgroups v1.1.0 // indirect
+	github.com/containerd/containerd v1.7.11 // indirect
+	github.com/containerd/continuity v0.4.2 // indirect
+	github.com/containerd/fifo v1.1.0 // indirect
+	github.com/containerd/log v0.1.0 // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect
+	github.com/containerd/ttrpc v1.2.2 // indirect
+	github.com/containerd/typeurl/v2 v2.1.1 // indirect
+	github.com/creack/pty v1.1.23 // indirect
+	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
+	github.com/deitch/magic v0.0.0-20230404182410-1ff89d7342da // indirect
+	github.com/distribution/reference v0.6.0 // indirect
+	github.com/docker/cli v27.1.1+incompatible // indirect
+	github.com/docker/distribution v2.8.3+incompatible // indirect
+	github.com/docker/docker v27.3.1+incompatible // indirect
+	github.com/docker/docker-credential-helpers v0.7.0 // indirect
+	github.com/docker/go-connections v0.4.0 // indirect
+	github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c // indirect
+	github.com/docker/go-units v0.5.0 // indirect
+	github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5 // indirect
+	github.com/dustin/go-humanize v1.0.1 // indirect
+	github.com/edsrzf/mmap-go v1.1.0 // indirect
+	github.com/elliotchance/phpserialize v1.4.0 // indirect
+	github.com/emirpasic/gods v1.18.1 // indirect
+	github.com/facebookincubator/nvdtools v0.1.5 // indirect
+	github.com/felixge/fgprof v0.9.3 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/fsnotify/fsnotify v1.7.0 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.4 // indirect
+	github.com/github/go-spdx/v2 v2.3.2 // indirect
+	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
+	github.com/go-git/go-billy/v5 v5.5.0 // indirect
+	github.com/go-git/go-git/v5 v5.12.0 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/go-restruct/restruct v1.2.0-alpha // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/golang/snappy v0.0.4 // indirect
+	github.com/google/go-cmp v0.6.0 // indirect
+	github.com/google/go-containerregistry v0.20.2 // indirect
+	github.com/google/licensecheck v0.3.1 // indirect
+	github.com/google/pprof v0.0.0-20240827171923-fa2c70bbbfe5 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/gookit/color v1.5.4 // indirect
+	github.com/hashicorp/errwrap v1.1.0 // indirect
+	github.com/hashicorp/go-multierror v1.1.1 // indirect
+	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/heroku/color v0.0.6 // indirect
+	github.com/huandu/xstrings v1.5.0 // indirect
+	github.com/iancoleman/strcase v0.3.0 // indirect
 	github.com/imdario/mergo v0.3.16 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
+	github.com/jinzhu/copier v0.4.0 // indirect
+	github.com/kastenhq/goversion v0.0.0-20230811215019-93b2f8823953 // indirect
+	github.com/kevinburke/ssh_config v1.2.0 // indirect
+	github.com/klauspost/compress v1.17.8 // indirect
+	github.com/klauspost/pgzip v1.2.5 // indirect
+	github.com/knqyf263/go-rpmdb v0.1.1 // indirect
+	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
+	github.com/magiconair/properties v1.8.7 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mattn/go-runewidth v0.0.16 // indirect
+	github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect
+	github.com/mholt/archiver/v3 v3.5.1 // indirect
+	github.com/microsoft/go-rustaudit v0.0.0-20220730194248-4b17361d90a5 // indirect
+	github.com/mitchellh/copystructure v1.2.0 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/hashstructure/v2 v2.0.2 // indirect
-	github.com/onsi/gomega v1.33.0 // indirect
-	golang.org/x/sys v0.18.0 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
+	github.com/mitchellh/reflectwalk v1.0.2 // indirect
+	github.com/moby/docker-image-spec v1.3.1 // indirect
+	github.com/moby/locker v1.0.1 // indirect
+	github.com/moby/sys/mountinfo v0.7.2 // indirect
+	github.com/moby/sys/sequential v0.5.0 // indirect
+	github.com/moby/sys/signal v0.7.0 // indirect
+	github.com/muesli/termenv v0.15.2 // indirect
+	github.com/nwaples/rardecode v1.1.0 // indirect
+	github.com/olekukonko/tablewriter v0.0.5 // indirect
+	github.com/onsi/gomega v1.34.2 // indirect
+	github.com/opencontainers/go-digest v1.0.0 // indirect
+	github.com/opencontainers/image-spec v1.1.0 // indirect
+	github.com/opencontainers/runc v1.1.14 // indirect
+	github.com/opencontainers/runtime-spec v1.1.0-rc.1 // indirect
+	github.com/opencontainers/selinux v1.11.0 // indirect
+	github.com/pborman/indent v1.2.1 // indirect
+	github.com/pelletier/go-toml v1.9.5 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.2 // indirect
+	github.com/pierrec/lz4/v4 v4.1.19 // indirect
+	github.com/pjbgf/sha1cd v0.3.0 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pkg/profile v1.7.0 // indirect
+	github.com/rivo/uniseg v0.4.7 // indirect
+	github.com/saferwall/pe v1.5.4 // indirect
+	github.com/sagikazarmark/locafero v0.4.0 // indirect
+	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
+	github.com/saintfish/chardet v0.0.0-20230101081208-5e3ef4b5456d // indirect
+	github.com/sassoftware/go-rpmutils v0.4.0 // indirect
+	github.com/scylladb/go-set v1.0.3-0.20200225121959-cc7b2070d91e // indirect
+	github.com/secDre4mer/pkcs7 v0.0.0-20240322103146-665324a4461d // indirect
+	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
+	github.com/shopspring/decimal v1.4.0 // indirect
+	github.com/sirupsen/logrus v1.9.3 // indirect
+	github.com/skeema/knownhosts v1.2.2 // indirect
+	github.com/sourcegraph/conc v0.3.0 // indirect
+	github.com/spdx/tools-golang v0.5.5 // indirect
+	github.com/spf13/afero v1.11.0 // indirect
+	github.com/spf13/cast v1.7.0 // indirect
+	github.com/spf13/cobra v1.8.1 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/spf13/viper v1.19.0 // indirect
+	github.com/subosito/gotenv v1.6.0 // indirect
+	github.com/sylabs/sif/v2 v2.17.1 // indirect
+	github.com/sylabs/squashfs v1.0.0 // indirect
+	github.com/therootcompany/xz v1.0.1 // indirect
+	github.com/ulikunitz/xz v0.5.12 // indirect
+	github.com/vbatts/go-mtree v0.5.4 // indirect
+	github.com/vbatts/tar-split v0.11.3 // indirect
+	github.com/vifraa/gopom v1.0.0 // indirect
+	github.com/wagoodman/go-partybus v0.0.0-20230516145632-8ccac152c651 // indirect
+	github.com/wagoodman/go-progress v0.0.0-20230925121702-07e42b3cdba0 // indirect
+	github.com/xanzy/ssh-agent v0.3.3 // indirect
+	github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 // indirect
+	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
+	go.opencensus.io v0.24.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect
+	go.opentelemetry.io/otel v1.24.0 // indirect
+	go.opentelemetry.io/otel/metric v1.24.0 // indirect
+	go.opentelemetry.io/otel/trace v1.24.0 // indirect
+	go.uber.org/atomic v1.9.0 // indirect
+	go.uber.org/multierr v1.9.0 // indirect
+	golang.org/x/crypto v0.28.0 // indirect
+	golang.org/x/exp v0.0.0-20231108232855-2478ac86f678 // indirect
+	golang.org/x/mod v0.21.0 // indirect
+	golang.org/x/net v0.30.0 // indirect
+	golang.org/x/sync v0.8.0 // indirect
+	golang.org/x/sys v0.26.0 // indirect
+	golang.org/x/term v0.25.0 // indirect
+	golang.org/x/text v0.19.0 // indirect
+	golang.org/x/tools v0.24.0 // indirect
+	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
+	google.golang.org/genproto v0.0.0-20240213162025-012b6fc9bca9 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240314234333-6e1732d8331c // indirect
+	google.golang.org/grpc v1.62.1 // indirect
+	google.golang.org/protobuf v1.35.1 // indirect
+	gopkg.in/ini.v1 v1.67.0 // indirect
+	gopkg.in/warnings.v0 v0.1.2 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 )