capabilities

package
v1.40.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 15, 2026 License: Apache-2.0 Imports: 9 Imported by: 0

README

Cataloger Capabilities Documentation

This documentation describes the format and structure of cataloger capabilities YAML files.

File Organization

Capabilities are organized as follows:

  • Cataloger capabilities: Located in syft/pkg/cataloger/*/capabilities.yaml (one file per ecosystem, alongside the cataloger source code: golang/capabilities.yaml, python/capabilities.yaml, etc.)
  • Application configuration: Located in internal/capabilities/appconfig.yaml

Each capabilities.yaml file is partially auto-generated. Run go generate ./internal/capabilities to regenerate.

  • Fields marked AUTO-GENERATED will be updated during regeneration
  • All capabilities sections are MANUAL - edit these to describe cataloger behavior

Capability Sections

There are two types of capability sections depending on cataloger type:

1. Generic Catalogers (type: generic)
  • Have capabilities at the PARSER level
  • Each parser function has its own capabilities section
  • Allows different parsers within the same cataloger to have different capabilities
2. Custom Catalogers (type: custom)
  • Have capabilities at the CATALOGER level
  • Single capabilities section for the entire cataloger

Capabilities Format

Capabilities use a field-based format with defaults and optional conditional overrides:

capabilities:
  - field: <field-name>           # dot-notation path (e.g., "license", "dependency.depth")
    default: <value>              # value when no conditions match
    conditions:                   # optional - conditional overrides evaluated in order
      - when: {ConfigField: val}  # when these config fields match (AND logic)
        value: <override-value>   # use this value instead
        comment: "explanation"    # optional - why this condition exists
    evidence:                     # optional - source code references
      - "StructName.FieldName"
    comment: "explanation"        # optional - general field explanation

Detector Conditions

Detectors (used by custom catalogers) can have optional conditions that control when they are active. This allows a single cataloger to have different detection behavior based on configuration.

Structure
detectors:
  - method: glob                 # AUTO-GENERATED - detection method
    criteria: ["**/*.jar"]       # AUTO-GENERATED - patterns to match
    comment: "always active"     # MANUAL - optional explanation
  - method: glob
    criteria: ["**/*.zip"]
    conditions:                  # MANUAL - when this detector is active
      - when: {IncludeZipFiles: true}  # config fields that must match
        comment: "optional explanation"
    comment: "ZIP detection requires config"
Notes
  • Conditions reference fields from the cataloger's config struct
  • Multiple conditions in the array use OR logic (any condition can activate)
  • Multiple fields in a when clause use AND logic (all must match)
  • Detectors without conditions are always active
  • Only custom catalogers support detectors with conditions

Condition Evaluation

  • Conditions are evaluated in array order (first match wins)
  • Multiple fields in a when clause use AND logic (all must match)
  • Multiple conditions in the array use OR logic (first matching condition)
  • If no conditions match, the default value is used

Capability Fields

Standard capability field names and their value types:

license (boolean)

Whether license information is available.

Examples:

default: true                 # always available
default: false                # never available
default: false                # requires configuration
  conditions:
    - when: {SearchRemoteLicenses: true}
      value: true
dependency.depth (array of strings)

Which dependency depths can be discovered.

Values: direct (immediate deps), indirect (transitive deps)

Examples:

default: [direct]                    # only immediate dependencies
default: [direct, indirect]          # full transitive closure
default: []                          # no dependency information
dependency.edges (string)

Relationships between nodes and completeness of the dependency graph.

Values:

  • "" - dependencies found but no edges between them
  • "flat" - single level of dependencies with edges to root package only
  • "reduced" - transitive reduction (redundant edges removed)
  • "complete" - all relationships with accurate direct and indirect edges

Examples:

default: complete
default: ""
dependency.kinds (array of strings)

Types of dependencies that can be discovered.

Values: runtime, dev, build, test, optional

Examples:

default: [runtime]                   # production dependencies only
default: [runtime, dev]              # production and development
default: [runtime, dev, build]       # all dependency types
default: [runtime]                   # with conditional dev deps
  conditions:
    - when: {IncludeDevDeps: true}
      value: [runtime, dev]
package_manager.files.listing (boolean)

Whether file listings are available (which files belong to the package).

Examples:

default: true
default: false
  conditions:
    - when: {CaptureOwnedFiles: true}
      value: true
package_manager.files.digests (boolean)

Whether file digests/checksums are included in listings.

Examples:

default: true
default: false
package_manager.package_integrity_hash (boolean)

Whether a hash for verifying package integrity is available.

Examples:

default: true
default: false

Examples

Simple cataloger with no configuration
capabilities:
  - name: license
    default: true
    comment: "license field always present in package.json"
  - name: dependency.depth
    default: [direct]
  - name: dependency.edges
    default: ""
  - name: dependency.kinds
    default: [runtime]
    comment: "devDependencies not parsed by this cataloger"
  - name: package_manager.files.listing
    default: false
  - name: package_manager.files.digests
    default: false
  - name: package_manager.package_integrity_hash
    default: false
Cataloger with configuration-dependent capabilities
capabilities:
  - name: license
    default: false
    conditions:
      - when: {SearchLocalModCacheLicenses: true}
        value: true
        comment: "searches for licenses in GOPATH mod cache"
      - when: {SearchRemoteLicenses: true}
        value: true
        comment: "fetches licenses from proxy.golang.org"
    comment: "license scanning requires configuration"
  - name: dependency.depth
    default: [direct, indirect]
  - name: dependency.edges
    default: flat
  - name: dependency.kinds
    default: [runtime, dev]
  - name: package_manager.files.listing
    default: false
  - name: package_manager.files.digests
    default: false
  - name: package_manager.package_integrity_hash
    default: true
    evidence:
      - "GolangBinaryBuildinfoEntry.H1Digest"

Documentation

Overview

Package capabilities provides discovery and tracking of cataloger capabilities.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func ConditionMatches 

func ConditionMatches(when map[string]interface{}, config map[string]interface{}) bool

ConditionMatches checks if a condition's when clause matches the given configuration. All fields in the when clause must match the config (AND logic). Returns true if all key-value pairs in when match the config.

func EvaluateCapabilities 

func EvaluateCapabilities(caps CapabilitySet, config map[string]interface{}) map[string]interface{}

EvaluateCapabilities evaluates a capability set against a given configuration and returns the effective capability values as a flat map. Example: {"license": false, "dependency.depth": ["direct", "indirect"]}

func EvaluateField 

func EvaluateField(capField CapabilityField, config map[string]interface{}) interface{}

EvaluateField evaluates a single capability field against a configuration. Conditions are evaluated in order, and the first matching condition's value is returned. If no conditions match, the default value is returned.

func RegisterCatalogerFiles 

func RegisterCatalogerFiles(f embed.FS)

Types

type ApplicationConfigField 

type ApplicationConfigField struct {
	Key          string `yaml:"key" json:"key"`
	Description  string `yaml:"description" json:"description"`
	DefaultValue any    `yaml:"default,omitempty" json:"default,omitempty"`
}

ApplicationConfigField represents an application-level configuration field

type ArtifactDetectionMethod 

type ArtifactDetectionMethod string

ArtifactDetectionMethod specifies the type of artifact detection mechanism 

const (
	// GlobDetection matches artifacts using glob patterns (e.g., "**/*.jar", "*.pyc")
	GlobDetection ArtifactDetectionMethod = "glob"
	// PathDetection matches artifacts by exact file path (e.g., "/usr/bin/python", "package.json")
	PathDetection ArtifactDetectionMethod = "path"
	// MIMETypeDetection matches artifacts by MIME type (e.g., "application/x-executable", "text/x-python")
	MIMETypeDetection ArtifactDetectionMethod = "mimetype"
)

type CapabilityCondition 

type CapabilityCondition struct {
	// When specifies config field names and their required values (all must match - AND logic)
	// Example: {"SearchRemoteLicenses": true, "UseNetwork": true}
	When map[string]any `yaml:"when" json:"when"`
	// Value is the capability value when the condition matches
	Value any `yaml:"value" json:"value"`
	// Comment provides optional explanation of this condition
	Comment string `yaml:"comment,omitempty" json:"comment,omitempty"`
}

CapabilityCondition represents a conditional override for a capability field value. When the config fields specified in When match, the Value is used instead of Default.

type CapabilityField 

type CapabilityField struct {
	// Name is the dot-notation path to the capability (e.g., "license", "dependency.depth")
	Name string `yaml:"name" json:"name"`
	// Default is the value when no conditions match
	Default any `yaml:"default" json:"default"`
	// Conditions are optional conditional overrides evaluated in order (first match wins)
	Conditions []CapabilityCondition `yaml:"conditions,omitempty" json:"conditions,omitempty"`
	// Evidence provides optional references to source code that implements this capability
	Evidence []string `yaml:"evidence,omitempty" json:"evidence,omitempty"`
	// Comment provides optional human-readable explanation
	Comment string `yaml:"comment,omitempty" json:"comment,omitempty"`
}

CapabilityField represents a single capability field with optional conditional values based on configuration. This is the V2 capabilities format that replaces the mode-based approach.

type CapabilitySet 

type CapabilitySet []CapabilityField

CapabilitySet represents a collection of capability fields (V2 format)

type CatalogerConfigEntry 

type CatalogerConfigEntry struct {
	Fields []CatalogerConfigFieldEntry `yaml:"fields" json:"fields"`
}

CatalogerConfigEntry represents a complete configuration struct (e.g., golang.CatalogerConfig)

type CatalogerConfigFieldEntry 

type CatalogerConfigFieldEntry struct {
	Key         string `yaml:"key" json:"key"`
	Description string `yaml:"description" json:"description"`
	AppKey      string `yaml:"app_key,omitempty" json:"app_key,omitempty"` // maps to app-level config key
}

CatalogerConfigFieldEntry represents a single field in a cataloger configuration struct

type CatalogerEntry 

type CatalogerEntry struct {
	Ecosystem       string        `yaml:"ecosystem" json:"ecosystem"`                                     // MANUAL - ecosystem categorization (e.g., "python", "java", "javascript")
	Name            string        `yaml:"name" json:"name"`                                               // AUTO-GENERATED for generic, MANUAL for custom
	Type            string        `yaml:"type" json:"type"`                                               // AUTO-GENERATED: "generic" or "custom"
	Source          Source        `yaml:"source" json:"source"`                                           // AUTO-GENERATED for generic, MANUAL for custom
	Config          string        `yaml:"config,omitempty" json:"config,omitempty"`                       // e.g., "golang.CatalogerConfig"
	Selectors       []string      `yaml:"selectors,omitempty" json:"selectors,omitempty"`                 // AUTO-GENERATED - cataloger name tags for selection
	Parsers         []Parser      `yaml:"parsers,omitempty" json:"parsers,omitempty"`                     // AUTO-GENERATED structure, only for type=generic
	Detectors       []Detector    `yaml:"detectors,omitempty" json:"detectors,omitempty"`                 // AUTO-GENERATED - detection methods (only for type=custom)
	MetadataTypes   []string      `yaml:"metadata_types,omitempty" json:"metadata_types,omitempty"`       // AUTO-GENERATED - pkg metadata types emitted (only for type=custom)
	PackageTypes    []string      `yaml:"package_types,omitempty" json:"package_types,omitempty"`         // AUTO-GENERATED - package types emitted (only for type=custom)
	JSONSchemaTypes []string      `yaml:"json_schema_types,omitempty" json:"json_schema_types,omitempty"` // AUTO-GENERATED - JSON schema type names (UpperCamelCase)
	Capabilities    CapabilitySet `yaml:"capabilities,omitempty" json:"capabilities,omitempty"`           // MANUAL - config-driven capability definitions (only for type=custom)
}

CatalogerEntry represents a single cataloger's capabilities

func Packages 

func Packages() ([]CatalogerEntry, error)

Packages loads and returns all cataloger capabilities from the embedded YAML file

type CatalogerInfo 

type CatalogerInfo struct {
	Name      string
	Selectors []string // tags for cataloger name selection
}

CatalogerInfo represents a cataloger's name and selection tags

func ExtractCatalogerInfo 

func ExtractCatalogerInfo(tasks []task.Task) []CatalogerInfo

ExtractCatalogerInfo extracts cataloger names and their selection tags from tasks

type Detector 

type Detector struct {
	Method     ArtifactDetectionMethod `yaml:"method" json:"method"`                             // AUTO-GENERATED
	Criteria   []string                `yaml:"criteria" json:"criteria"`                         // AUTO-GENERATED
	Conditions []DetectorCondition     `yaml:"conditions,omitempty" json:"conditions,omitempty"` // MANUAL - when this detector should be active
	Packages   []DetectorPackageInfo   `yaml:"packages,omitempty" json:"packages,omitempty"`     // AUTO-GENERATED for binary-classifier-cataloger
	Comment    string                  `yaml:"comment,omitempty" json:"comment,omitempty"`       // MANUAL - explanation of this detector
}

Detector describes how artifacts are detected (method and criteria)

type DetectorCondition 

type DetectorCondition struct {
	// When specifies config field names and their required values (all must match - AND logic)
	When map[string]any `yaml:"when" json:"when"`
	// Comment provides optional explanation of this condition
	Comment string `yaml:"comment,omitempty" json:"comment,omitempty"`
}

DetectorCondition specifies when a detector should be active based on configuration

type DetectorPackageInfo 

type DetectorPackageInfo struct {
	Class string   `yaml:"class" json:"class"` // classifier class (e.g., "python-binary-lib")
	Name  string   `yaml:"name" json:"name"`   // package name (e.g., "python")
	PURL  string   `yaml:"purl" json:"purl"`   // package URL without version (e.g., "pkg:generic/python")
	CPEs  []string `yaml:"cpes" json:"cpes"`   // CPE strings
	Type  string   `yaml:"type" json:"type"`   // package type (e.g., "BinaryPkg")
}

DetectorPackageInfo describes package information that a detector can produce

type Document 

type Document struct {
	Configs           map[string]CatalogerConfigEntry `yaml:"configs,omitempty" json:"configs,omitempty"`         // config structs with their fields
	ApplicationConfig []ApplicationConfigField        `yaml:"application,omitempty" json:"application,omitempty"` // application-level config keys
	Catalogers        []CatalogerEntry                `yaml:"catalogers" json:"catalogers"`
}

Document represents the root structure of the capabilities YAML file

func LoadDocument 

func LoadDocument() (*Document, error)

LoadDocument loads and returns the complete document including configs and app-configs

type Parser 

type Parser struct {
	ParserFunction  string        `yaml:"function" json:"function"`                                       // AUTO-GENERATED (used as preservation key)
	Detector        Detector      `yaml:"detector" json:"detector"`                                       // AUTO-GENERATED - how artifacts are detected
	MetadataTypes   []string      `yaml:"metadata_types,omitempty" json:"metadata_types,omitempty"`       // AUTO-GENERATED - pkg metadata types emitted by this parser
	PackageTypes    []string      `yaml:"package_types,omitempty" json:"package_types,omitempty"`         // AUTO-GENERATED - package types emitted by this parser
	JSONSchemaTypes []string      `yaml:"json_schema_types,omitempty" json:"json_schema_types,omitempty"` // AUTO-GENERATED - JSON schema type names (UpperCamelCase)
	Capabilities    CapabilitySet `yaml:"capabilities,omitempty" json:"capabilities,omitempty"`           // MANUAL - config-driven capability definitions
}

Parser represents a parser function and its artifact detection criteria for generic catalogers

type Source 

type Source struct {
	File     string `yaml:"file" json:"file"`         // AUTO-GENERATED for generic, MANUAL for custom
	Function string `yaml:"function" json:"function"` // AUTO-GENERATED for generic, MANUAL for custom
}

Source describes the source code location of a cataloger

Source Files

View all Source files

Directories

Path Synopsis
this file links catalogers to their configuration structs by analyzing constructor function signatures to determine which config struct each cataloger uses.
 this file links catalogers to their configuration structs by analyzing constructor function signatures to determine which config struct each cataloger uses.
this file retrieves the canonical list of cataloger names and their selectors from syft's task factories.
 this file retrieves the canonical list of cataloger names and their selectors from syft's task factories.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.