anchore · C0D3-M4513R · Jun 10, 2024 · Jun 11, 2024 · Jun 11, 2024 · Jun 11, 2024
diff --git a/Taskfile.yaml b/Taskfile.yaml
@@ -233,7 +233,7 @@ tasks:
       - cmd: "test -f {{ .SNAPSHOT_BIN }} || (find {{ .SNAPSHOT_DIR }} && echo '\nno snapshot found' && false)"
         silent: true
 
-      - "go test -count=1 -timeout=15m -v ./test/cli"
+      - "go test -count=1 -timeout=25m -v ./test/cli"
     env:
       SYFT_BINARY_LOCATION: "{{ .SNAPSHOT_BIN }}"
 

diff --git a/go.mod b/go.mod
@@ -58,7 +58,7 @@ require (
 	github.com/moby/sys/mountinfo v0.7.2
 	github.com/olekukonko/tablewriter v0.0.5
 	github.com/opencontainers/go-digest v1.0.0
-	github.com/pelletier/go-toml v1.9.5
+	github.com/pelletier/go-toml v1.9.5 // indirect
 	github.com/quasilyte/go-ruleguard/dsl v0.3.22
 	github.com/saferwall/pe v1.5.4
 	github.com/saintfish/chardet v0.0.0-20230101081208-5e3ef4b5456d
@@ -91,6 +91,7 @@ require (
 	github.com/OneOfOne/xxhash v1.2.8
 	github.com/adrg/xdg v0.5.0
 	github.com/magiconair/properties v1.8.7
+	github.com/pelletier/go-toml/v2 v2.1.0
 	golang.org/x/exp v0.0.0-20231108232855-2478ac86f678
 )
 

diff --git a/internal/cmptest/common_options.go b/internal/cmptest/common_options.go
@@ -1,9 +1,12 @@
 package cmptest
 
 import (
+	"slices"
+
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp/cmpopts"
 
+	"github.com/anchore/syft/syft/artifact"
 	"github.com/anchore/syft/syft/file"
 	"github.com/anchore/syft/syft/pkg"
 )
@@ -24,7 +27,16 @@ func CommonOptions(licenseCmp LicenseComparer, locationCmp LocationComparer) []c
 	return []cmp.Option{
 		cmpopts.IgnoreFields(pkg.Package{}, "id"), // note: ID is not deterministic for test purposes
 		cmpopts.SortSlices(pkg.Less),
-		cmpopts.SortSlices(DefaultRelationshipComparer),
+		cmp.Comparer(func(x, y []artifact.Relationship) bool {
+			// copy here, because we shouldn't mutate the input in any way!
+			cpyX := make([]artifact.Relationship, len(x))
+			copy(cpyX, x)
+			cpyY := make([]artifact.Relationship, len(y))
+			copy(cpyY, x)
+			slices.SortStableFunc(cpyX, DefaultRelationshipComparer)
+			slices.SortStableFunc(cpyY, DefaultRelationshipComparer)
+			return slices.CompareFunc(cpyX, cpyY, DefaultRelationshipComparer) == 0
+		}),
 		cmp.Comparer(
 			func(x, y file.LocationSet) bool {
 				xs := x.ToSlice()

diff --git a/internal/cmptest/relationship.go b/internal/cmptest/relationship.go
@@ -1,26 +1,92 @@
 package cmptest
 
 import (
+	"reflect"
+
 	"github.com/sanity-io/litter"
 
 	"github.com/anchore/syft/syft/artifact"
 )
 
 type RelationshipComparer func(x, y artifact.Relationship) bool
 
-var relationshipStringer = litter.Options{
+var dataStringer = litter.Options{
 	Compact:           true,
 	StripPackageNames: false,
-	HidePrivateFields: true, // we want to ignore package IDs
-	HideZeroValues:    true,
-	StrictGo:          true,
+	//HidePrivateFields: true, // we want to ignore package IDs
+	HideZeroValues: true,
+	StrictGo:       true,
 	//FieldExclusions: ...  // these can be added for future values that need to be ignored
 	//FieldFilter: ...
 }
 
-func DefaultRelationshipComparer(x, y artifact.Relationship) bool {
+func DefaultRelationshipComparer(x, y artifact.Relationship) int {
+	if x.Type < y.Type {
+		return -1
+	}
+	if x.Type > y.Type {
+		return 1
+	}
+
+	if i := DefaultIdentifiableComparer(x.From, y.From); i != 0 {
+		return i
+	}
+	if i := DefaultIdentifiableComparer(x.To, y.To); i != 0 {
+		return i
+	}
+
+	if x.Data == nil && y.Data == nil {
+		return 0
+	}
+	if x.Data == nil {
+		return -1
+	}
+	if y.Data == nil {
+		return 1
+	}
+
+	{
+		xData := reflect.ValueOf(x.Data).Type().Name()
+		yData := reflect.ValueOf(y.Data).Type().Name()
+		if xData < yData {
+			return -1
+		}
+		if xData > yData {
+			return 1
+		}
+	}
 	// we just need a stable sort, the ordering does not need to be sensible
-	xStr := relationshipStringer.Sdump(x)
-	yStr := relationshipStringer.Sdump(y)
-	return xStr < yStr
+	xStr := dataStringer.Sdump(x.Data)
+	yStr := dataStringer.Sdump(y.Data)
+	if xStr < yStr {
+		return -1
+	}
+	if xStr > yStr {
+		return 1
+	}
+	return 0
+}
+
+func DefaultIdentifiableComparer(x, y artifact.Identifiable) int {
+	{
+		xTo := reflect.ValueOf(x).Type().Name()
+		yTo := reflect.ValueOf(y).Type().Name()
+		if xTo < yTo {
+			return -1
+		}
+		if xTo > yTo {
+			return 1
+		}
+	}
+	{
+		xFrom := x.ID()
+		yFrom := y.ID()
+		if xFrom < yFrom {
+			return -1
+		}
+		if xFrom > yFrom {
+			return 1
+		}
+	}
+	return 0
 }
diff --git a/internal/relationship/sort.go b/internal/relationship/sort.go
@@ -1,42 +1,15 @@
 package relationship
 
 import (
-	"sort"
+	"slices"
 
+	"github.com/anchore/syft/internal/cmptest"
 	"github.com/anchore/syft/syft/artifact"
-	"github.com/anchore/syft/syft/pkg"
 )
 
 // Sort takes a set of package-to-package relationships and sorts them in a stable order by name and version.
 // Note: this does not consider package-to-other, other-to-package, or other-to-other relationships.
 // TODO: ideally this should be replaced with a more type-agnostic sort function that resides in the artifact package.
 func Sort(rels []artifact.Relationship) {
-	sort.SliceStable(rels, func(i, j int) bool {
-		return less(rels[i], rels[j])
-	})
-}
-
-func less(i, j artifact.Relationship) bool {
-	iFrom, ok1 := i.From.(pkg.Package)
-	iTo, ok2 := i.To.(pkg.Package)
-	jFrom, ok3 := j.From.(pkg.Package)
-	jTo, ok4 := j.To.(pkg.Package)
-
-	if !(ok1 && ok2 && ok3 && ok4) {
-		return false
-	}
-
-	if iFrom.Name != jFrom.Name {
-		return iFrom.Name < jFrom.Name
-	}
-	if iFrom.Version != jFrom.Version {
-		return iFrom.Version < jFrom.Version
-	}
-	if iTo.Name != jTo.Name {
-		return iTo.Name < jTo.Name
-	}
-	if iTo.Version != jTo.Version {
-		return iTo.Version < jTo.Version
-	}
-	return i.Type < j.Type
+	slices.SortStableFunc(rels, cmptest.DefaultRelationshipComparer)
 }
diff --git a/internal/task/package_tasks.go b/internal/task/package_tasks.go
@@ -107,7 +107,10 @@ func DefaultPackageTaskFactories() PackageTaskFactories {
 		),
 		newSimplePackageTaskFactory(ruby.NewGemFileLockCataloger, pkgcataloging.DeclaredTag, pkgcataloging.DirectoryTag, pkgcataloging.LanguageTag, "ruby", "gem"),
 		newSimplePackageTaskFactory(ruby.NewGemSpecCataloger, pkgcataloging.DeclaredTag, pkgcataloging.DirectoryTag, pkgcataloging.LanguageTag, "ruby", "gem", "gemspec"),
-		newSimplePackageTaskFactory(rust.NewCargoLockCataloger, pkgcataloging.DeclaredTag, pkgcataloging.DirectoryTag, pkgcataloging.LanguageTag, "rust", "cargo"),
+		newPackageTaskFactory(
+			func(cfg CatalogingFactoryConfig) pkg.Cataloger {
+				return rust.NewCargoLockCataloger(cfg.PackagesConfig.RustCargoLock)
+			}, pkgcataloging.DeclaredTag, pkgcataloging.DirectoryTag, pkgcataloging.LanguageTag, "rust", "cargo"),
 		newSimplePackageTaskFactory(swift.NewCocoapodsCataloger, pkgcataloging.DeclaredTag, pkgcataloging.DirectoryTag, pkgcataloging.LanguageTag, "swift", "cocoapods"),
 		newSimplePackageTaskFactory(swift.NewSwiftPackageManagerCataloger, pkgcataloging.DeclaredTag, pkgcataloging.DirectoryTag, pkgcataloging.LanguageTag, "swift", "spm"),
 		newSimplePackageTaskFactory(swipl.NewSwiplPackCataloger, pkgcataloging.DeclaredTag, pkgcataloging.DirectoryTag, pkgcataloging.LanguageTag, "swipl", "pack"),

diff --git a/syft/cataloging/pkgcataloging/config.go b/syft/cataloging/pkgcataloging/config.go
@@ -7,24 +7,27 @@ import (
 	"github.com/anchore/syft/syft/pkg/cataloger/javascript"
 	"github.com/anchore/syft/syft/pkg/cataloger/kernel"
 	"github.com/anchore/syft/syft/pkg/cataloger/python"
+	"github.com/anchore/syft/syft/pkg/cataloger/rust"
 )
 
 type Config struct {
-	Binary      binary.ClassifierCatalogerConfig  `yaml:"binary" json:"binary" mapstructure:"binary"`
-	Golang      golang.CatalogerConfig            `yaml:"golang" json:"golang" mapstructure:"golang"`
-	JavaArchive java.ArchiveCatalogerConfig       `yaml:"java-archive" json:"java-archive" mapstructure:"java-archive"`
-	JavaScript  javascript.CatalogerConfig        `yaml:"javascript" json:"javascript" mapstructure:"javascript"`
-	LinuxKernel kernel.LinuxKernelCatalogerConfig `yaml:"linux-kernel" json:"linux-kernel" mapstructure:"linux-kernel"`
-	Python      python.CatalogerConfig            `yaml:"python" json:"python" mapstructure:"python"`
+	Binary        binary.ClassifierCatalogerConfig  `yaml:"binary" json:"binary" mapstructure:"binary"`
+	Golang        golang.CatalogerConfig            `yaml:"golang" json:"golang" mapstructure:"golang"`
+	RustCargoLock rust.CargoLockCatalogerConfig     `yaml:"cargo" json:"cargo" mapstructure:"cargo"`
+	JavaArchive   java.ArchiveCatalogerConfig       `yaml:"java-archive" json:"java-archive" mapstructure:"java-archive"`
+	JavaScript    javascript.CatalogerConfig        `yaml:"javascript" json:"javascript" mapstructure:"javascript"`
+	LinuxKernel   kernel.LinuxKernelCatalogerConfig `yaml:"linux-kernel" json:"linux-kernel" mapstructure:"linux-kernel"`
+	Python        python.CatalogerConfig            `yaml:"python" json:"python" mapstructure:"python"`
 }
 
 func DefaultConfig() Config {
 	return Config{
-		Binary:      binary.DefaultClassifierCatalogerConfig(),
-		Golang:      golang.DefaultCatalogerConfig(),
-		LinuxKernel: kernel.DefaultLinuxKernelCatalogerConfig(),
-		Python:      python.DefaultCatalogerConfig(),
-		JavaArchive: java.DefaultArchiveCatalogerConfig(),
+		Binary:        binary.DefaultClassifierCatalogerConfig(),
+		Golang:        golang.DefaultCatalogerConfig(),
+		RustCargoLock: rust.DefaultCargoLockCatalogerConfig(),
+		LinuxKernel:   kernel.DefaultLinuxKernelCatalogerConfig(),
+		Python:        python.DefaultCatalogerConfig(),
+		JavaArchive:   java.DefaultArchiveCatalogerConfig(),
 	}
 }
 
@@ -57,3 +60,8 @@ func (c Config) WithJavaArchiveConfig(cfg java.ArchiveCatalogerConfig) Config {
 	c.JavaArchive = cfg
 	return c
 }
+
+func (c Config) WithRustCargoLockConfig(cfg rust.CargoLockCatalogerConfig) Config {
+	c.RustCargoLock = cfg
+	return c
+}
diff --git a/syft/format/common/spdxhelpers/to_format_model.go b/syft/format/common/spdxhelpers/to_format_model.go
@@ -777,6 +777,14 @@ func newPackageVerificationCode(rels *relationship.Index, p pkg.Package, sbom sb
 		digests = append(digests, d)
 	}
 
+	for _, r := range sbom.RelationshipsForPackage(p, artifact.ContainsRelationship) {
+		if digest, exists := r.Data.(file.Digest); exists {
+			if digest.Algorithm == "sha1" {
+				digests = append(digests, digest)
+			}
+		}
+	}
+
 	if len(digests) == 0 {
 		return nil
 	}

diff --git a/syft/format/internal/cyclonedxutil/helpers/external_references_test.go b/syft/format/internal/cyclonedxutil/helpers/external_references_test.go
@@ -7,6 +7,7 @@
 	"github.com/stretchr/testify/assert"
 
 	"github.com/anchore/syft/syft/pkg"
+	"github.com/anchore/syft/syft/pkg/cataloger/rust/internal/cargo"
 )
 
 func Test_encodeExternalReferences(t *testing.T) {
@@ -62,7 +63,7 @@
 				Language: pkg.Rust,
 				Type:     pkg.RustPkg,
 				Licenses: pkg.NewLicenseSet(),
-				Metadata: pkg.RustCargoLockEntry{
+				Metadata: cargo.RustCargoLockEntry{
 					Name:     "ansi_term",
 					Version:  "0.12.1",
 					Source:   "registry+https://github.com/rust-lang/crates.io-index",

diff --git a/syft/format/internal/spdxutil/helpers/description.go b/syft/format/internal/spdxutil/helpers/description.go
@@ -1,6 +1,8 @@
 package helpers
 
-import "github.com/anchore/syft/syft/pkg"
+import (
+	"github.com/anchore/syft/syft/pkg"
+)
 
 func Description(p pkg.Package) string {
 	if hasMetadata(p) {
@@ -9,6 +11,10 @@ func Description(p pkg.Package) string {
 			return metadata.Description
 		case pkg.NpmPackage:
 			return metadata.Description
+		case pkg.RustCargo:
+			if cargoEntry := metadata.CargoEntry; cargoEntry != nil {
+				return cargoEntry.Description
+			}
 		}
 	}
 	return ""

diff --git a/syft/format/internal/spdxutil/helpers/download_location.go b/syft/format/internal/spdxutil/helpers/download_location.go
@@ -1,6 +1,8 @@
 package helpers
 
-import "github.com/anchore/syft/syft/pkg"
+import (
+	"github.com/anchore/syft/syft/pkg"
+)
 
 const NONE = "NONE"
 const NOASSERTION = "NOASSERTION"
@@ -22,6 +24,14 @@ func DownloadLocation(p pkg.Package) string {
 			return NoneIfEmpty(metadata.URL)
 		case pkg.NpmPackageLockEntry:
 			return NoneIfEmpty(metadata.Resolved)
+		case pkg.RustCargo:
+			if lockEntry := metadata.LockEntry; lockEntry != nil {
+				url, isRemote := lockEntry.SourceRemoteURL()
+				if isRemote {
+					return NoneIfEmpty(url)
+				}
+				return NOASSERTION
+			}
 		case pkg.PhpComposerLockEntry:
 			return NoneIfEmpty(metadata.Dist.URL)
 		case pkg.PhpComposerInstalledEntry:

diff --git a/syft/format/internal/spdxutil/helpers/homepage.go b/syft/format/internal/spdxutil/helpers/homepage.go
@@ -1,6 +1,8 @@
 package helpers
 
-import "github.com/anchore/syft/syft/pkg"
+import (
+	"github.com/anchore/syft/syft/pkg"
+)
 
 func Homepage(p pkg.Package) string {
 	if hasMetadata(p) {
@@ -9,6 +11,13 @@ func Homepage(p pkg.Package) string {
 			return metadata.Homepage
 		case pkg.NpmPackage:
 			return metadata.Homepage
+		case pkg.RustCargo:
+			if cargoEntry := metadata.CargoEntry; cargoEntry != nil {
+				if cargoEntry.Homepage != "" {
+					return cargoEntry.Homepage
+				}
+				return cargoEntry.Repository
+			}
 		}
 	}
 	return ""

diff --git a/syft/format/internal/spdxutil/helpers/originator_supplier_test.go b/syft/format/internal/spdxutil/helpers/originator_supplier_test.go
@@ -7,6 +7,7 @@
 
 	"github.com/anchore/syft/syft/internal/packagemetadata"
 	"github.com/anchore/syft/syft/pkg"
+	"github.com/anchore/syft/syft/pkg/cataloger/rust/internal/cargo"
 )
 
 func Test_OriginatorSupplier(t *testing.T) {
@@ -38,7 +39,7 @@
 		pkg.PythonRequirementsEntry{},
 		pkg.PythonPoetryLockEntry{},
 		pkg.RustBinaryAuditEntry{},
-		pkg.RustCargoLockEntry{},
+		cargo.RustCargoLockEntry{},
 		pkg.SwiftPackageManagerResolvedEntry{},
 		pkg.SwiplPackEntry{},
 		pkg.OpamPackage{},

diff --git a/syft/format/syftjson/model/package_test.go b/syft/format/syftjson/model/package_test.go
@@ -10,6 +10,7 @@
 
 	"github.com/anchore/syft/syft/license"
 	"github.com/anchore/syft/syft/pkg"
+	"github.com/anchore/syft/syft/pkg/cataloger/rust/internal/cargo"
 )
 
 func Test_UnmarshalJSON(t *testing.T) {
@@ -355,7 +356,7 @@
 }`),
 			assert: func(p *Package) {
 				assert.Equal(t, pkg.HackagePkg, p.Type)
-				assert.Equal(t, reflect.TypeOf(pkg.RustCargoLockEntry{}).Name(), reflect.TypeOf(p.Metadata).Name())
+				assert.Equal(t, reflect.TypeOf(cargo.RustCargoLockEntry{}).Name(), reflect.TypeOf(p.Metadata).Name())
 			},
 		},
 		{