pkg

package
v1.40.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 15, 2026 License: Apache-2.0 Imports: 27 Imported by: 286

Documentation

Overview

Package pkg provides the data structures for a package, a package catalog, package types, and domain-specific metadata.

Index

Constants

View Source 
const (
	EvidenceAnnotationKey        = evidence.AnnotationKey
	PrimaryEvidenceAnnotation    = evidence.PrimaryAnnotation
	SupportingEvidenceAnnotation = evidence.SupportingAnnotation
)
View Source 
const (
	SnapTypeBase   = "base"
	SnapTypeKernel = "kernel"
	SnapTypeApp    = "app"
	SnapTypeGadget = "gadget"
	SnapTypeSnapd  = "snapd"
)
View Source 
const (
	PURLQualifierArch   = "arch"
	PURLQualifierCPES   = "cpes"
	PURLQualifierDistro = "distro"
	PURLQualifierEpoch  = "epoch"
	PURLQualifierVCSURL = "vcs_url"

	// PURLQualifierUpstream this qualifier is not in the pURL spec, but is used by grype to perform indirect matching based on source information
	PURLQualifierUpstream = "upstream"

	// PURLQualifierRpmModularity this qualifier is not in the pURL spec, but is used to specify RPM modularity information
	PURLQualifierRpmModularity = "rpmmod"
)
View Source 
const AlpmDBGlob = "**/var/lib/pacman/local/**/desc"
View Source 
const ApkDBGlob = "**/lib/apk/db/installed"
View Source 
const DpkgDBGlob = "**/var/lib/dpkg/{status,status.d/**}"
View Source 
const RpmDBGlob = "**/{var/lib,usr/share,usr/lib/sysimage}/rpm/{Packages,Packages.db,rpmdb.sqlite}"

RpmDBGlob is the glob pattern used to find RPM DB files. Where: - /var/lib/rpm/... is the typical path for most distributions - /usr/share/rpm/... is common for rpm-ostree distributions (coreos-like) - Packages is the legacy Berkeley db based format - Packages.db is the "ndb" format used in SUSE - rpmdb.sqlite is the sqlite format used in fedora + derivates

View Source 
const RpmManifestGlob = "**/var/lib/rpmmanifest/container-manifest-2"

RpmManifestGlob is used in CBL-Mariner distroless images

Variables

View Source 
var AllLanguages = []Language{
	CPP,
	Dart,
	Dotnet,
	Elixir,
	Erlang,
	Go,
	Haskell,
	Java,
	JavaScript,
	Lua,
	OCaml,
	PHP,
	Python,
	R,
	Ruby,
	Rust,
	Swift,
	Swipl,
}

AllLanguages is a set of all programming languages detected by syft.

View Source 
var AllPkgs = []Type{
	AlpmPkg,
	ApkPkg,
	BinaryPkg,
	BitnamiPkg,
	CocoapodsPkg,
	ConanPkg,
	CondaPkg,
	DartPubPkg,
	DebPkg,
	DotnetPkg,
	ErlangOTPPkg,
	GemPkg,
	GithubActionPkg,
	GithubActionWorkflowPkg,
	GraalVMNativeImagePkg,
	GoModulePkg,
	HackagePkg,
	HexPkg,
	JavaPkg,
	JenkinsPluginPkg,
	KbPkg,
	LinuxKernelPkg,
	LinuxKernelModulePkg,
	NixPkg,
	NpmPkg,
	OpamPkg,
	PhpComposerPkg,
	PhpPeclPkg,
	PhpPearPkg,
	PortagePkg,
	PythonPkg,
	Rpkg,
	LuaRocksPkg,
	RpmPkg,
	RustPkg,
	SwiftPkg,
	SwiplPackPkg,
	TerraformPkg,
	WordpressPluginPkg,
	HomebrewPkg,
	ModelPkg,
}

AllPkgs represents all supported package types

Functions

func IsValid added in v0.47.0 

func IsValid(p *Package) bool

IsValid checks whether a package has the minimum necessary info which is a non-empty name. The nil-check was added as a helper as often, in this code base, packages move between callers as pointers. CycloneDX and SPDX define Name as the minimum required info for a valid package: * https://spdx.github.io/spdx-spec/package-information/#73-package-version-field * https://cyclonedx.org/docs/1.4/json/#components_items_name

func Less added in v0.61.0 

func Less(i, j Package) bool

func PURLQualifiers added in v0.60.0 

func PURLQualifiers(vars map[string]string, release *linux.Release) (q packageurl.Qualifiers)

func Sort added in v0.60.3 

func Sort(pkgs []Package)

Types

type AlpmDBEntry added in v0.95.0 

type AlpmDBEntry struct {
	// BasePackage is the base package name this package was built from (source package in Arch build system)
	BasePackage string `mapstructure:"base" json:"basepackage" cyclonedx:"basepackage"`

	// Package is the package name as found in the desc file
	Package string `mapstructure:"name" json:"package" cyclonedx:"package"`

	// Version is the package version as found in the desc file
	Version string `mapstructure:"version" json:"version" cyclonedx:"version"`

	// Description is a human-readable package description
	Description string `mapstructure:"desc" json:"description" cyclonedx:"description"`

	// Architecture is the target CPU architecture as defined in Arch architecture spec (e.g. x86_64, aarch64, or "any" for arch-independent packages)
	Architecture string `mapstructure:"arch" json:"architecture" cyclonedx:"architecture"`

	// Size is the installed size in bytes
	Size int `mapstructure:"size" json:"size" cyclonedx:"size"`

	// Packager is the name and email of the person who packaged this (RFC822 format)
	Packager string `mapstructure:"packager" json:"packager"`

	// URL is the upstream project URL
	URL string `mapstructure:"url" json:"url"`

	// Validation is the validation method used for package integrity (e.g. pgp signature, sha256 checksum)
	Validation string `mapstructure:"validation" json:"validation"`

	// Reason is the installation reason tracked by pacman (0=explicitly installed by user, 1=installed as dependency)
	Reason int `mapstructure:"reason" json:"reason"`

	// Files are the files installed by this package
	Files []AlpmFileRecord `mapstructure:"files" json:"files"`

	// Backup is the list of configuration files that pacman backs up before upgrades
	Backup []AlpmFileRecord `mapstructure:"backup" json:"backup"`

	// Provides are virtual packages provided by this package (allows other packages to depend on capabilities rather than specific packages)
	Provides []string `mapstructure:"provides" json:"provides,omitempty"`

	// Depends are the runtime dependencies required by this package
	Depends []string `mapstructure:"depends" json:"depends,omitempty"`
}

AlpmDBEntry is a struct that represents the package data stored in the pacman flat-file stores for arch linux.

func (AlpmDBEntry) OwnedFiles added in v0.95.0 

func (m AlpmDBEntry) OwnedFiles() (result []string)

type AlpmFileRecord added in v0.48.0 

type AlpmFileRecord struct {
	// Path is the file path relative to the filesystem root
	Path string `mapstruture:"path" json:"path,omitempty"`

	// Type is the file type (e.g. regular file, directory, symlink)
	Type string `mapstructure:"type" json:"type,omitempty"`

	// UID is the file owner user ID as recorded by pacman
	UID string `mapstructure:"uid" json:"uid,omitempty"`

	// GID is the file owner group ID as recorded by pacman
	GID string `mapstructure:"gid" json:"gid,omitempty"`

	// Time is the file modification timestamp
	Time time.Time `mapstructure:"time" json:"time,omitempty"`

	// Size is the file size in bytes
	Size string `mapstructure:"size" json:"size,omitempty"`

	// Link is the symlink target path if this is a symlink
	Link string `mapstructure:"link" json:"link,omitempty"`

	// Digests contains file content hashes for integrity verification
	Digests []file.Digest `mapstructure:"digests" json:"digest,omitempty"`
}

AlpmFileRecord represents a single file entry within an Arch Linux package with its associated metadata tracked by pacman.

type ApkDBEntry added in v0.95.0 

type ApkDBEntry struct {
	// Package is the package name as found in the installed file
	Package string `mapstructure:"P" json:"package"`

	// OriginPackage is the original source package name this binary was built from (used to track which aport/source built this)
	OriginPackage string `mapstructure:"o" json:"originPackage" cyclonedx:"originPackage"`

	// Maintainer is the package maintainer name and email
	Maintainer string `mapstructure:"m" json:"maintainer"`

	// Version is the package version as found in the installed file
	Version string `mapstructure:"V" json:"version"`

	// Architecture is the target CPU architecture
	Architecture string `mapstructure:"A" json:"architecture"`

	// URL is the upstream project URL
	URL string `mapstructure:"U" json:"url"`

	// Description is a human-readable package description
	Description string `mapstructure:"T" json:"description"`

	// Size is the package archive size in bytes (.apk file size)
	Size int `mapstructure:"S" json:"size" cyclonedx:"size"`

	// InstalledSize is the total size of installed files in bytes
	InstalledSize int `mapstructure:"I" json:"installedSize" cyclonedx:"installedSize"`

	// Dependencies are the runtime dependencies required by this package
	Dependencies []string `mapstructure:"D" json:"pullDependencies" cyclonedx:"pullDependencies"`

	// Provides are virtual packages provided by this package (for capability-based dependencies)
	Provides []string `mapstructure:"p" json:"provides" cyclonedx:"provides"`

	// Checksum is the package content checksum for integrity verification
	Checksum string `mapstructure:"C" json:"pullChecksum" cyclonedx:"pullChecksum"`

	// GitCommit is the git commit hash of the APK port definition in Alpine's aports repository
	GitCommit string `mapstructure:"c" json:"gitCommitOfApkPort" cyclonedx:"gitCommitOfApkPort"`

	// Files are the files installed by this package
	Files []ApkFileRecord `json:"files"`
}

ApkDBEntry represents all captured data for the alpine linux package manager flat-file store. See the following sources for more information: - https://wiki.alpinelinux.org/wiki/Apk_spec - https://git.alpinelinux.org/apk-tools/tree/src/package.c - https://git.alpinelinux.org/apk-tools/tree/src/database.c

func (ApkDBEntry) OwnedFiles added in v0.95.0 

func (m ApkDBEntry) OwnedFiles() (result []string)

func (*ApkDBEntry) UnmarshalJSON added in v0.95.0 

func (m *ApkDBEntry) UnmarshalJSON(data []byte) error

type ApkFileRecord 

type ApkFileRecord struct {
	// Path is the file path relative to the filesystem root
	Path string `json:"path"`

	// OwnerUID is the file owner user ID
	OwnerUID string `json:"ownerUid,omitempty"`

	// OwnerGID is the file owner group ID
	OwnerGID string `json:"ownerGid,omitempty"`

	// Permissions is the file permission mode string (e.g. "0755", "0644")
	Permissions string `json:"permissions,omitempty"`

	// Digest is the file content hash for integrity verification
	Digest *file.Digest `json:"digest,omitempty"`
}

ApkFileRecord represents a single file listing and metadata from a APK DB entry (which may have many of these file records).

type BinarySignature added in v0.95.0 

type BinarySignature struct {
	Matches []ClassifierMatch `mapstructure:"Matches" json:"matches"`
}

BinarySignature represents a set of matched values within a binary file.

type BitnamiSBOMEntry added in v1.20.0 

type BitnamiSBOMEntry struct {
	// Name is the package name as found in the Bitnami SPDX file
	Name string `mapstructure:"name" json:"name"`

	// Architecture is the target CPU architecture (amd64 or arm64 in Bitnami images)
	Architecture string `mapstructure:"arch" json:"arch"`

	// Distro is the distribution name this package is for (base OS like debian, ubuntu, etc.)
	Distro string `mapstructure:"distro" json:"distro"`

	// Revision is the Bitnami-specific package revision number (incremented for Bitnami rebuilds of same upstream version)
	Revision string `mapstructure:"revision" json:"revision"`

	// Version is the package version as found in the Bitnami SPDX file
	Version string `mapstructure:"version" json:"version"`

	// Path is the installation path in the filesystem where the package is located
	Path string `mapstructure:"path" json:"path"`

	// Files are the file paths owned by this package (tracked via SPDX relationships)
	Files []string `mapstructure:"files" json:"files"`
}

BitnamiSBOMEntry represents all captured data from Bitnami packages described in Bitnami' SPDX files.

func (BitnamiSBOMEntry) OwnedFiles added in v1.20.0 

func (b BitnamiSBOMEntry) OwnedFiles() (result []string)

type Cataloger added in v0.60.0 

type Cataloger interface {
	// Name returns a string that uniquely describes a cataloger
	Name() string
	// Catalog is given an object to resolve file references and content, this function returns any discovered Packages after analyzing the catalog source.
	Catalog(context.Context, file.Resolver) ([]Package, []artifact.Relationship, error)
}

Cataloger describes behavior for an object to participate in parsing container image or file system contents for the purpose of discovering Packages. Each concrete implementation should focus on discovering Packages for a specific Package Type or ecosystem.

type ClassifierMatch added in v0.73.0 

type ClassifierMatch struct {
	Classifier string        `mapstructure:"Classifier" json:"classifier"`
	Location   file.Location `mapstructure:"Location" json:"location"`
}

ClassifierMatch represents a single matched value within a binary file and the "class" name the search pattern represents.

type CocoaPodfileLockEntry added in v0.95.0 

type CocoaPodfileLockEntry struct {
	// Checksum is the SHA-1 hash of the podspec file for integrity verification (generated via `pod ipc spec ... | openssl sha1`), ensuring all team members use the same pod specification version
	Checksum string `mapstructure:"checksum" json:"checksum"`
}

CocoaPodfileLockEntry represents a single entry from the "Pods" section of a Podfile.lock file.

type Collection added in v0.80.0 

type Collection struct {
	// contains filtered or unexported fields
}

Collection represents a collection of Packages.

func NewCollection added in v0.80.0 

func NewCollection(pkgs ...Package) *Collection

NewCollection returns a new empty Collection

func (*Collection) Add added in v0.80.0 

func (c *Collection) Add(pkgs ...Package)

Add n packages to the collection.

func (*Collection) Delete added in v0.80.0 

func (c *Collection) Delete(ids ...artifact.ID)

func (*Collection) Enumerate added in v0.80.0 

func (c *Collection) Enumerate(types ...Type) <-chan Package

Enumerate all packages for the given type(s), enumerating all packages if no type is specified.

func (*Collection) Package added in v0.80.0 

func (c *Collection) Package(id artifact.ID) *Package

Package returns the package with the given ID.

func (*Collection) PackageCount added in v0.80.0 

func (c *Collection) PackageCount() int

PackageCount returns the total number of packages that have been added.

func (*Collection) Packages added in v0.80.0 

func (c *Collection) Packages(ids []artifact.ID) (result []Package)

Packages returns all packages for the given ID.

func (*Collection) PackagesByName added in v0.80.0 

func (c *Collection) PackagesByName(name string) []Package

PackagesByName returns all packages that were discovered with a matching name.

func (*Collection) PackagesByPath added in v0.80.0 

func (c *Collection) PackagesByPath(path string) []Package

PackagesByPath returns all packages that were discovered from the given path.

func (*Collection) Sorted added in v0.80.0 

func (c *Collection) Sorted(types ...Type) (pkgs []Package)

Sorted enumerates all packages for the given types sorted by package name. Enumerates all packages if no type is specified.

type ConanV1LockEntry added in v0.104.0 

type ConanV1LockEntry struct {
	// Ref is the package reference string in format name/version@user/channel
	Ref string `json:"ref"`

	// PackageID is a unique package variant identifier computed from settings/options (static hash in Conan 1.x, can have collisions with complex dependency graphs)
	PackageID string `json:"package_id,omitempty"`

	// Prev is the previous lock entry reference for versioning
	Prev string `json:"prev,omitempty"`

	// Requires are the runtime package dependencies
	Requires []string `json:"requires,omitempty"`

	// BuildRequires are the build-time dependencies (e.g. cmake, compilers)
	BuildRequires []string `json:"build_requires,omitempty"`

	// PythonRequires are the Python dependencies needed for Conan recipes
	PythonRequires []string `json:"py_requires,omitempty"`

	// Options are package configuration options as key-value pairs (e.g. shared=True, fPIC=True)
	Options KeyValues `json:"options,omitempty"`

	// Path is the filesystem path to the package in Conan cache
	Path string `json:"path,omitempty"`

	// Context is the build context information
	Context string `json:"context,omitempty"`
}

ConanV1LockEntry represents a single "node" entry from a conan.lock V1 file.

type ConanV2LockEntry added in v0.104.0 

type ConanV2LockEntry struct {
	// Ref is the package reference string in format name/version@user/channel
	Ref string `json:"ref"`

	// PackageID is a unique package variant identifier (dynamic in Conan 2.0, more accurate than V1)
	PackageID string `json:"packageID,omitempty"`

	// Username is the Conan user/organization name
	Username string `json:"username,omitempty"`

	// Channel is the Conan channel name indicating stability/purpose (e.g. stable, testing, experimental)
	Channel string `json:"channel,omitempty"`

	// RecipeRevision is a git-like revision hash (RREV) of the recipe
	RecipeRevision string `json:"recipeRevision,omitempty"`

	// PackageRevision is a git-like revision hash of the built binary package
	PackageRevision string `json:"packageRevision,omitempty"`

	// TimeStamp is when this package was built/locked
	TimeStamp string `json:"timestamp,omitempty"`
}

ConanV2LockEntry represents a single "node" entry from a conan.lock V2 file.

type ConanfileEntry added in v0.95.0 

type ConanfileEntry struct {
	// Ref is the package reference string in format name/version@user/channel
	Ref string `mapstructure:"ref" json:"ref"`
}

ConanfileEntry represents a single "Requires" entry from a conanfile.txt.

type ConaninfoEntry added in v0.95.0 

type ConaninfoEntry struct {
	// Ref is the package reference string in format name/version@user/channel
	Ref string `json:"ref"`

	// PackageID is a unique package variant identifier
	PackageID string `json:"package_id,omitempty"`
}

ConaninfoEntry represents a single "full_requires" entry from a conaninfo.txt. 

type CondaLink struct {
	// Source is the original path where the package was extracted from cache.
	Source string `json:"source"`

	// Type indicates the link type (1 for hard link, 2 for soft link, 3 for copy).
	Type int `json:"type"`
}

CondaLink represents link metadata from a Conda package's link.json file describing package installation source.

type CondaMetaPackage added in v1.32.0 

type CondaMetaPackage struct {
	// Arch is the target CPU architecture for the package (e.g., "arm64", "x86_64").
	Arch string `json:"arch,omitempty"`

	// Name is the package name as found in the conda-meta JSON file.
	Name string `json:"name"`

	// Version is the package version as found in the conda-meta JSON file.
	Version string `json:"version"`

	// Build is the build string identifier (e.g., "h90dfc92_1014").
	Build string `json:"build"`

	// BuildNumber is the sequential build number for this version.
	BuildNumber int `json:"build_number"`

	// Channel is the Conda channel URL where the package was retrieved from.
	Channel string `json:"channel,omitempty"`

	// Subdir is the subdirectory within the channel (e.g., "osx-arm64", "linux-64").
	Subdir string `json:"subdir,omitempty"`

	// Noarch indicates if the package is platform-independent (e.g., "python", "generic").
	Noarch string `json:"noarch,omitempty"`

	// License is the package license identifier.
	License string `json:"license,omitempty"`

	// LicenseFamily is the general license category (e.g., "MIT", "Apache", "GPL").
	LicenseFamily string `json:"license_family,omitempty"`

	// MD5 is the MD5 hash of the package archive.
	MD5 string `json:"md5,omitempty"`

	// SHA256 is the SHA-256 hash of the package archive.
	SHA256 string `json:"sha256,omitempty"`

	// Size is the package archive size in bytes.
	Size int64 `json:"size,omitempty"`

	// Timestamp is the Unix timestamp when the package was built.
	Timestamp int64 `json:"timestamp,omitempty"`

	// Filename is the original package archive filename (e.g., "zlib-1.2.11-h90dfc92_1014.tar.bz2").
	Filename string `json:"fn,omitempty"`

	// URL is the full download URL for the package archive.
	URL string `json:"url,omitempty"`

	// ExtractedPackageDir is the local cache directory where the package was extracted.
	ExtractedPackageDir string `json:"extracted_package_dir,omitempty"`

	// Depends is the list of runtime dependencies with version constraints.
	Depends []string `json:"depends,omitempty"`

	// Files is the list of files installed by this package.
	Files []string `json:"files,omitempty"`

	// PathsData contains detailed file metadata from the paths.json file.
	PathsData *CondaPathsData `json:"paths_data,omitempty"`

	// Link contains installation source metadata from the link.json file.
	Link *CondaLink `json:"link,omitempty"`
}

CondaMetaPackage represents metadata for a Conda package extracted from the conda-meta/*.json files.

func (CondaMetaPackage) OwnedFiles added in v1.32.0 

func (m CondaMetaPackage) OwnedFiles() (result []string)

type CondaPathData added in v1.32.0 

type CondaPathData struct {
	// Path is the file path relative to the Conda environment root.
	Path string `json:"_path"`

	// PathType indicates the link type for the file (e.g., "hardlink", "softlink", "directory").
	PathType string `json:"path_type"`

	// SHA256 is the SHA-256 hash of the file contents.
	SHA256 string `json:"sha256"`

	// SHA256InPrefix is the SHA-256 hash of the file after prefix replacement during installation.
	SHA256InPrefix string `json:"sha256_in_prefix"`

	// SizeInBytes is the file size in bytes.
	SizeInBytes int64 `json:"size_in_bytes"`
}

CondaPathData represents metadata for a single file within a Conda package from the paths.json file.

type CondaPathsData added in v1.32.0 

type CondaPathsData struct {
	// PathsVersion is the schema version of the paths data format.
	PathsVersion int `json:"paths_version"`

	// Paths is the list of file metadata entries for all files in the package.
	Paths []CondaPathData `json:"paths"`
}

CondaPathsData represents the paths.json file structure from a Conda package containing file metadata.

type DartPubspec added in v1.24.0 

type DartPubspec struct {
	// Homepage is the package homepage URL
	Homepage string `mapstructure:"homepage" json:"homepage,omitempty"`

	// Repository is the source code repository URL
	Repository string `mapstructure:"repository" json:"repository,omitempty"`

	// Documentation is the documentation site URL
	Documentation string `mapstructure:"documentation" json:"documentation,omitempty"`

	// PublishTo is the package repository to publish to, or "none" to prevent accidental publishing
	PublishTo string `mapstructure:"publish_to" json:"publish_to,omitempty"`

	// Environment is SDK version constraints for Dart and Flutter
	Environment *DartPubspecEnvironment `mapstructure:"environment" json:"environment,omitempty"`

	// Platforms are the supported platforms (Android, iOS, web, etc.)
	Platforms []string `mapstructure:"platforms" json:"platforms,omitempty"`

	// IgnoredAdvisories are the security advisories to explicitly ignore for this package
	IgnoredAdvisories []string `mapstructure:"ignored_advisories" json:"ignored_advisories,omitempty"`
}

DartPubspec is a struct that represents a package described in a pubspec.yaml file

type DartPubspecEnvironment added in v1.24.0 

type DartPubspecEnvironment struct {
	// SDK is the Dart SDK version constraint (e.g. ">=2.12.0 <3.0.0")
	SDK string `mapstructure:"sdk" json:"sdk,omitempty"`

	// Flutter is the Flutter SDK version constraint if this is a Flutter package
	Flutter string `mapstructure:"flutter" json:"flutter,omitempty"`
}

DartPubspecEnvironment represents SDK version constraints from the environment section of pubspec.yaml.

type DartPubspecLockEntry added in v0.95.0 

type DartPubspecLockEntry struct {
	// Name is the package name as found in the pubspec.lock file
	Name string `mapstructure:"name" json:"name"`

	// Version is the package version as found in the pubspec.lock file
	Version string `mapstructure:"version" json:"version"`

	// HostedURL is the URL of the package repository for hosted packages (typically pub.dev, but can be custom repository identified by hosted-url). When PUB_HOSTED_URL environment variable changes, lockfile tracks the source.
	HostedURL string `mapstructure:"hosted_url" json:"hosted_url,omitempty"`

	// VcsURL is the URL of the VCS repository for git/path dependencies (for packages fetched from version control systems like Git)
	VcsURL string `mapstructure:"vcs_url" json:"vcs_url,omitempty"`
}

DartPubspecLockEntry is a struct that represents a single entry found in the "packages" section in a Dart pubspec.lock file.

type DotnetDepsEntry added in v0.95.0 

type DotnetDepsEntry struct {
	// Name is the package name as found in the deps.json file
	Name string `mapstructure:"name" json:"name"`

	// Version is the package version as found in the deps.json file
	Version string `mapstructure:"version" json:"version"`

	// Path is the relative path to the package within the deps structure (e.g. "app.metrics/3.0.0")
	Path string `mapstructure:"path" json:"path"`

	// Sha512 is the SHA-512 hash of the NuGet package content WITHOUT the signed content for verification (won't match hash from NuGet API or manual calculation of .nupkg file)
	Sha512 string `mapstructure:"sha512" json:"sha512"`

	// HashPath is the relative path to the .nupkg.sha512 hash file (e.g. "app.metrics.3.0.0.nupkg.sha512")
	HashPath string `mapstructure:"hashPath" json:"hashPath"`

	// Type is type of entry could be package or project for internal refs
	Type string `mapstructure:"type" json:"type,omitempty"`

	// Executables are the map of .NET Portable Executable files within this package with their version resources
	Executables map[string]DotnetPortableExecutableEntry `json:"executables,omitempty"`
}

DotnetDepsEntry is a struct that represents a single entry found in the "libraries" section in a .NET [*.]deps.json file.

type DotnetPackagesLockEntry added in v1.19.0 

type DotnetPackagesLockEntry struct {
	// Name is the package name as found in the packages.lock.json file
	Name string `mapstructure:"name" json:"name"`

	// Version is the package version as found in the packages.lock.json file
	Version string `mapstructure:"version" json:"version"`

	// ContentHash is the hash of the package content for verification
	ContentHash string `mapstructure:"contentHash" json:"contentHash"`

	// Type is the dependency type indicating how this dependency was added (Direct=explicit in project file, Transitive=pulled in by another package, Project=project reference)
	Type string `mapstructure:"type" json:"type"`
}

DotnetPackagesLockEntry is a struct that represents a single entry found in the "dependencies" section in a .NET packages.lock.json file.

type DotnetPortableExecutableEntry added in v0.95.0 

type DotnetPortableExecutableEntry struct {
	// AssemblyVersion is the .NET assembly version number (strong-named version)
	AssemblyVersion string `json:"assemblyVersion"`

	// LegalCopyright is the copyright notice string
	LegalCopyright string `json:"legalCopyright"`

	// Comments are additional comments or description embedded in PE resources
	Comments string `json:"comments,omitempty"`

	// InternalName is the internal name of the file
	InternalName string `json:"internalName,omitempty"`

	// CompanyName is the company that produced the file
	CompanyName string `json:"companyName"`

	// ProductName is the name of the product this file is part of
	ProductName string `json:"productName"`

	// ProductVersion is the version of the product (may differ from AssemblyVersion)
	ProductVersion string `json:"productVersion"`
}

DotnetPortableExecutableEntry is a struct that represents a single entry found within "VersionResources" section of a .NET Portable Executable binary file.

type DpkgArchiveEntry added in v1.22.0 

type DpkgArchiveEntry DpkgDBEntry

DpkgArchiveEntry represents package metadata extracted from a .deb archive file.

type DpkgDBEntry added in v0.95.0 

type DpkgDBEntry struct {
	// Package is the package name as found in the status file
	Package string `json:"package"`

	// Source is the source package name this binary was built from (one source can produce multiple binary packages)
	Source string `json:"source" cyclonedx:"source"`

	// Version is the binary package version as found in the status file
	Version string `json:"version"`

	// SourceVersion is the source package version (may differ from binary version when binNMU rebuilds occur)
	SourceVersion string `json:"sourceVersion" cyclonedx:"sourceVersion"`

	// Architecture is the target architecture per Debian spec (specific arch like amd64/arm64, wildcard like any, architecture-independent "all", or "source" for source packages)
	Architecture string `json:"architecture"`

	// Maintainer is the package maintainer's name and email in RFC822 format (name must come first, then email in angle brackets)
	Maintainer string `json:"maintainer"`

	// InstalledSize is the total size of installed files in kilobytes
	InstalledSize int `json:"installedSize" cyclonedx:"installedSize"`

	// Description is a human-readable package description with synopsis (first line) and long description (multiline format)
	Description string `hash:"ignore" json:"-"`

	// Provides are the virtual packages provided by this package (allows other packages to depend on capabilities. Can include versioned provides like "libdigest-md5-perl (= 2.55.01)")
	Provides []string `json:"provides,omitempty"`

	// Depends are the packages required for this package to function (will not be installed unless these requirements are met, creates strict ordering constraint)
	Depends []string `json:"depends,omitempty"`

	// PreDepends are the packages that must be installed and configured BEFORE even starting installation of this package (stronger than Depends, discouraged unless absolutely necessary as it adds strict constraints for apt)
	PreDepends []string `json:"preDepends,omitempty"`

	// Files are the files installed by this package
	Files []DpkgFileRecord `json:"files"`
}

DpkgDBEntry represents all captured data for a Debian package DB entry; available fields are described at http://manpages.ubuntu.com/manpages/xenial/man1/dpkg-query.1.html in the --showformat section. Additional information about how these fields are used can be found at

func (DpkgDBEntry) OwnedFiles added in v0.95.0 

func (m DpkgDBEntry) OwnedFiles() (result []string)

type DpkgFileRecord added in v0.7.0 

type DpkgFileRecord struct {
	// Path is the file path relative to the filesystem root
	Path string `json:"path"`

	// Digest is the file content hash (typically MD5 for dpkg compatibility with legacy systems)
	Digest *file.Digest `json:"digest,omitempty"`

	// IsConfigFile is whether this file is marked as a configuration file (dpkg will preserve user modifications during upgrades)
	IsConfigFile bool `json:"isConfigFile"`
}

DpkgFileRecord represents a single file attributed to a debian package.

type ELFBinaryPackageNoteJSONPayload added in v1.1.0 

type ELFBinaryPackageNoteJSONPayload struct {

	// Type is the type of the package (e.g. "rpm", "deb", "apk", etc.)
	Type string `json:"type,omitempty"`

	// Architecture of the binary package (e.g. "amd64", "arm", etc.)
	Architecture string `json:"architecture,omitempty"`

	// OSCPE is a CPE name for the OS, typically corresponding to CPE_NAME in os-release (e.g. cpe:/o:fedoraproject:fedora:33)
	//
	// Deprecated: in Syft 2.0 the struct tag will be corrected to `osCpe` to match the systemd spec casing.
	OSCPE string `json:"osCPE,omitempty"`

	// AppCpe is a CPE name for the upstream Application, as found in NVD CPE search (e.g. cpe:2.3:a:gnu:coreutils:5.0)
	AppCpe string `json:"appCpe,omitempty"`

	// OS is the OS name, typically corresponding to ID in os-release (e.g. "fedora")
	OS string `json:"os,omitempty"`

	// osVersion is the version of the OS, typically corresponding to VERSION_ID in os-release (e.g. "33")
	OSVersion string `json:"osVersion,omitempty"`

	// System is a context-specific name for the system that the binary package is intended to run on or a part of
	System string `json:"system,omitempty"`

	// Vendor is the individual or organization that produced the source code for the binary
	Vendor string `json:"vendor,omitempty"`

	// SourceRepo is the URL to the source repository for which the binary was built from
	SourceRepo string `json:"sourceRepo,omitempty"`

	// Commit is the commit hash of the source repository for which the binary was built from
	Commit string `json:"commit,omitempty"`
}

ELFBinaryPackageNoteJSONPayload Represents metadata captured from the .note.package section of an ELF-formatted binary

type ElixirMixLockEntry added in v0.95.0 

type ElixirMixLockEntry struct {
	// Name is the package name as found in the mix.lock file
	Name string `mapstructure:"name" json:"name"`

	// Version is the package version as found in the mix.lock file
	Version string `mapstructure:"version" json:"version"`

	// PkgHash is the outer checksum (SHA-256) of the entire Hex package tarball for integrity verification (preferred method, replaces deprecated inner checksum)
	PkgHash string `mapstructure:"pkgHash" json:"pkgHash"`

	// PkgHashExt is the extended package hash format (inner checksum is deprecated - SHA-256 of concatenated file contents excluding CHECKSUM file, now replaced by outer checksum)
	PkgHashExt string `mapstructure:"pkgHashExt" json:"pkgHashExt"`
}

ElixirMixLockEntry is a struct that represents a single entry in a mix.lock file

type ErlangRebarLockEntry added in v0.95.0 

type ErlangRebarLockEntry struct {
	// Name is the package name as found in the rebar.lock file
	Name string `mapstructure:"name" json:"name"`

	// Version is the package version as found in the rebar.lock file
	Version string `mapstructure:"version" json:"version"`

	// PkgHash is the outer checksum (SHA-256) of the entire Hex package tarball for integrity verification (preferred method over deprecated inner checksum)
	PkgHash string `mapstructure:"pkgHash" json:"pkgHash"`

	// PkgHashExt is the extended package hash format (inner checksum deprecated - was SHA-256 of concatenated file contents)
	PkgHashExt string `mapstructure:"pkgHashExt" json:"pkgHashExt"`
}

ErlangRebarLockEntry represents a single package entry from the "deps" section within an Erlang rebar.lock file.

type FileOwner added in v0.24.0 

type FileOwner interface {
	OwnedFiles() []string
}

FileOwner is the interface that wraps OwnedFiles method.

OwnedFiles returns a list of files that a piece of package Metadata indicates are owned by the package.

type GGUFFileHeader added in v1.38.0 

type GGUFFileHeader struct {
	// GGUFVersion is the GGUF format version (e.g., 3)
	GGUFVersion uint32 `json:"ggufVersion" cyclonedx:"ggufVersion"`

	// FileSize is the size of the GGUF file in bytes (best-effort if available from resolver)
	FileSize int64 `json:"fileSize,omitempty" cyclonedx:"fileSize"`

	// Architecture is the model architecture (from general.architecture, e.g., "qwen3moe", "llama")
	Architecture string `json:"architecture,omitempty" cyclonedx:"architecture"`

	// Quantization is the quantization type (e.g., "IQ4_NL", "Q4_K_M")
	Quantization string `json:"quantization,omitempty" cyclonedx:"quantization"`

	// Parameters is the number of model parameters (if present in header)
	Parameters uint64 `json:"parameters,omitempty" cyclonedx:"parameters"`

	// TensorCount is the number of tensors in the model
	TensorCount uint64 `json:"tensorCount" cyclonedx:"tensorCount"`

	// RemainingKeyValues contains the remaining key-value pairs from the GGUF header that are not already
	// represented as typed fields above. This preserves additional metadata fields for reference
	// (namespaced with general.*, llama.*, etc.) while avoiding duplication.
	RemainingKeyValues map[string]interface{} `json:"header,omitempty" cyclonedx:"header"`

	// MetadataKeyValuesHash is a xx64 hash of all key-value pairs from the GGUF header metadata.
	// This hash is computed over the complete header metadata (including the fields extracted
	// into typed fields above) and provides a stable identifier for the model configuration
	// across different file locations or remotes. It allows matching identical models even
	// when stored in different repositories or with different filenames.
	MetadataKeyValuesHash string `json:"metadataHash,omitempty" cyclonedx:"metadataHash"`
}

GGUFFileHeader represents metadata extracted from a GGUF (GPT-Generated Unified Format) model file. GGUF is a binary file format used for storing model weights for the GGML library, designed for fast loading and saving of models, particularly quantized large language models. The Model Name, License, and Version fields have all been lifted up to be on the syft Package.

type GitHubActionsUseStatement added in v1.23.0 

type GitHubActionsUseStatement struct {
	// Value is the action reference (e.g. "actions/checkout@v3")
	Value string `json:"value"`

	// Comment is the inline comment associated with this uses statement
	Comment string `json:"comment,omitempty"`
}

GitHubActionsUseStatement represents a single 'uses' statement in a GitHub Actions workflow file referencing an action or reusable workflow.

type GolangBinaryBuildinfoEntry added in v0.95.0 

type GolangBinaryBuildinfoEntry struct {
	// BuildSettings contains the Go build settings and flags used to compile the binary (e.g., GOARCH, GOOS, CGO_ENABLED).
	BuildSettings KeyValues `json:"goBuildSettings,omitempty" cyclonedx:"goBuildSettings"`

	// GoCompiledVersion is the version of Go used to compile the binary.
	GoCompiledVersion string `json:"goCompiledVersion" cyclonedx:"goCompiledVersion"`

	// Architecture is the target CPU architecture for the binary (extracted from GOARCH build setting).
	Architecture string `json:"architecture" cyclonedx:"architecture"`

	// H1Digest is the Go module hash in h1: format for the main module from go.sum.
	H1Digest string `json:"h1Digest,omitempty" cyclonedx:"h1Digest"`

	// MainModule is the main module path for the binary (e.g., "github.com/anchore/syft").
	MainModule string `json:"mainModule,omitempty" cyclonedx:"mainModule"`

	// GoCryptoSettings contains FIPS and cryptographic configuration settings if present.
	GoCryptoSettings []string `json:"goCryptoSettings,omitempty" cyclonedx:"goCryptoSettings"`

	// GoExperiments lists experimental Go features enabled during compilation (e.g., "arenas", "cgocheck2").
	GoExperiments []string `json:"goExperiments,omitempty" cyclonedx:"goExperiments"`
}

GolangBinaryBuildinfoEntry represents all captured data for a Golang binary

type GolangModuleEntry added in v0.95.0 

type GolangModuleEntry struct {
	// H1Digest is the Go module hash in h1: format from go.sum for verifying module contents.
	H1Digest string `json:"h1Digest,omitempty" cyclonedx:"h1Digest"`
}

GolangModuleEntry represents all captured data for a Golang source scan with go.mod/go.sum

type GolangSourceEntry added in v1.32.0 

type GolangSourceEntry struct {
	// H1Digest is the Go module hash in h1: format from go.sum for verifying module contents.
	H1Digest string `json:"h1Digest,omitempty" cyclonedx:"h1Digest"`

	// OperatingSystem is the target OS for build constraints (e.g., "linux", "darwin", "windows").
	OperatingSystem string `json:"os,omitempty" cyclonedx:"os"`

	// Architecture is the target CPU architecture for build constraints (e.g., "amd64", "arm64").
	Architecture string `json:"architecture,omitempty" cyclonedx:"architecture"`

	// BuildTags are the build tags used to conditionally compile code (e.g., "integration,debug").
	BuildTags string `json:"buildTags,omitempty" cyclonedx:"buildTags"`

	// CgoEnabled indicates whether CGO was enabled for this package.
	CgoEnabled bool `json:"cgoEnabled" cyclonedx:"cgoEnabled"`
}

GolangSourceEntry represents all captured data for a Golang package found through source analysis

type HackageStackYamlEntry added in v0.95.0 

type HackageStackYamlEntry struct {
	// PkgHash is the package content hash for verification
	PkgHash string `mapstructure:"pkgHash" json:"pkgHash,omitempty"`
}

HackageStackYamlEntry represents a single entry from the "extra-deps" section of a stack.yaml file.

type HackageStackYamlLockEntry added in v0.95.0 

type HackageStackYamlLockEntry struct {
	// PkgHash is the package content hash for verification
	PkgHash string `mapstructure:"pkgHash" json:"pkgHash,omitempty"`

	// SnapshotURL is the URL to the Stack snapshot this package came from
	SnapshotURL string `mapstructure:"snapshotURL" json:"snapshotURL,omitempty"`
}

HackageStackYamlLockEntry represents a single entry from the "packages" section of a stack.yaml.lock file.

type HomebrewFormula added in v1.24.0 

type HomebrewFormula struct {
	// Tap is Homebrew tap this formula belongs to (e.g. "homebrew/core")
	Tap string `json:"tap,omitempty"`

	// Homepage is the upstream project homepage URL
	Homepage string `json:"homepage,omitempty"`

	// Description is a human-readable formula description
	Description string `json:"description,omitempty"`
}

HomebrewFormula represents metadata about a Homebrew formula package extracted from formula JSON files.

type JavaArchive added in v0.95.0 

type JavaArchive struct {
	// VirtualPath is path within the archive hierarchy, where nested entries are delimited with ':' (for nested JARs)
	VirtualPath string `json:"virtualPath" cyclonedx:"virtualPath"`

	// Manifest is parsed META-INF/MANIFEST.MF contents
	Manifest *JavaManifest `mapstructure:"Manifest" json:"manifest,omitempty"`

	// PomProperties is parsed pom.properties file contents
	PomProperties *JavaPomProperties `mapstructure:"PomProperties" json:"pomProperties,omitempty" cyclonedx:"-"`

	// PomProject is parsed pom.xml file contents
	PomProject *JavaPomProject `mapstructure:"PomProject" json:"pomProject,omitempty"`

	// ArchiveDigests is cryptographic hashes of the archive file
	ArchiveDigests []file.Digest `hash:"ignore" json:"digest,omitempty"`

	// Parent is reference to parent package (for nested archives)
	Parent *Package `hash:"ignore" json:"-"`
}

JavaArchive encapsulates all Java ecosystem metadata for a package as well as an (optional) parent relationship.

type JavaManifest 

type JavaManifest struct {
	// Main is main manifest attributes as key-value pairs
	Main KeyValues `json:"main,omitempty"`

	// Sections are the named sections from the manifest (e.g. per-entry attributes)
	Sections []KeyValues `json:"sections,omitempty"`
}

JavaManifest represents the fields of interest extracted from a Java archive's META-INF/MANIFEST.MF file.

func (JavaManifest) Section added in v0.104.0 

func (m JavaManifest) Section(name string) KeyValues

func (*JavaManifest) UnmarshalJSON added in v0.104.0 

func (m *JavaManifest) UnmarshalJSON(b []byte) error

type JavaPomParent added in v0.95.0 

type JavaPomParent struct {
	// GroupID is the parent Maven group identifier
	GroupID string `json:"groupId"`

	// ArtifactID is the parent Maven artifact identifier
	ArtifactID string `json:"artifactId"`

	// Version is the parent version (child inherits configuration from this specific version of parent POM)
	Version string `json:"version"`
}

JavaPomParent contains the fields within the <parent> tag in a pom.xml file

type JavaPomProject added in v0.95.0 

type JavaPomProject struct {
	// Path is path to the pom.xml file within the archive
	Path string `json:"path"`

	// Parent is the parent POM reference for inheritance (child POMs inherit configuration from parent)
	Parent *JavaPomParent `json:"parent,omitempty"`

	// GroupID is Maven group identifier (reversed domain name like org.apache.maven)
	GroupID string `json:"groupId"`

	// ArtifactID is Maven artifact identifier (project name)
	ArtifactID string `json:"artifactId"`

	// Version is project version (together with groupId and artifactId forms Maven coordinates groupId:artifactId:version)
	Version string `json:"version"`

	// Name is a human-readable project name (displayed in Maven-generated documentation)
	Name string `json:"name"`

	// Description is detailed project description
	Description string `json:"description,omitempty"`

	// URL is the project URL (typically project website or repository)
	URL string `json:"url,omitempty"`
}

JavaPomProject represents fields of interest extracted from a Java archive's pom.xml file. See https://maven.apache.org/ref/3.6.3/maven-model/maven.html for more details.

type JavaPomProperties added in v0.95.0 

type JavaPomProperties struct {
	// Path is path to the pom.properties file within the archive
	Path string `mapstructure:"path" json:"path"`

	// Name is the project name
	Name string `mapstructure:"name" json:"name"`

	// GroupID is Maven group identifier uniquely identifying the project across all projects (follows reversed domain name convention like com.company.project)
	GroupID string `mapstructure:"groupId" json:"groupId" cyclonedx:"groupID"`

	// ArtifactID is Maven artifact identifier, the name of the jar/artifact (unique within the groupId scope)
	ArtifactID string `mapstructure:"artifactId" json:"artifactId" cyclonedx:"artifactID"`

	// Version is artifact version
	Version string `mapstructure:"version" json:"version"`

	// Scope is dependency scope determining when dependency is available (compile=default all phases, test=test compilation/execution only, runtime=runtime and test not compile, provided=expected from JDK or container)
	Scope string `mapstructure:"scope" json:"scope,omitempty"`

	// Extra is additional custom properties not in standard Maven coordinates
	Extra map[string]string `mapstructure:",remain" json:"extraFields,omitempty"`
}

JavaPomProperties represents the fields of interest extracted from a Java archive's pom.properties file.

func (JavaPomProperties) PkgTypeIndicated added in v0.95.0 

func (p JavaPomProperties) PkgTypeIndicated() Type

PkgTypeIndicated returns the package Type indicated by the data contained in the JavaPomProperties.

type JavaVMInstallation added in v1.13.0 

type JavaVMInstallation struct {
	// Release is JVM release information and version details
	Release JavaVMRelease `json:"release"`

	// Files are the list of files that are part of this JVM installation
	Files []string `json:"files"`
}

JavaVMInstallation represents a Java Virtual Machine installation discovered on the system with its release information and file list.

func (JavaVMInstallation) OwnedFiles added in v1.13.0 

func (m JavaVMInstallation) OwnedFiles() []string

type JavaVMRelease added in v1.13.0 

type JavaVMRelease struct {
	// Implementor is extracted with the `java.vendor` JVM property
	Implementor string `mapstructure:"IMPLEMENTOR,omitempty" json:"implementor,omitempty"`

	// ImplementorVersion is extracted with the `java.vendor.version` JVM property
	ImplementorVersion string `mapstructure:"IMPLEMENTOR_VERSION,omitempty" json:"implementorVersion,omitempty"`

	// JavaRuntimeVersion is extracted from the 'java.runtime.version' JVM property
	JavaRuntimeVersion string `mapstructure:"JAVA_RUNTIME_VERSION,omitempty" json:"javaRuntimeVersion,omitempty"`

	// JavaVersion matches that from `java -version` command output
	JavaVersion string `mapstructure:"JAVA_VERSION,omitempty" json:"javaVersion,omitempty"`

	// JavaVersionDate is extracted from the 'java.version.date' JVM property
	JavaVersionDate string `mapstructure:"JAVA_VERSION_DATE,omitempty" json:"javaVersionDate,omitempty"`

	// Libc can either be 'glibc' or 'musl'
	Libc string `mapstructure:"LIBC,omitempty" json:"libc,omitempty"`

	// Modules is a list of JVM modules that are packaged
	Modules []string `mapstructure:"MODULES,omitempty" json:"modules,omitempty"`

	// OsArch is the target CPU architecture
	OsArch string `mapstructure:"OS_ARCH,omitempty" json:"osArch,omitempty"`

	// OsName is the name of the target runtime operating system environment
	OsName string `mapstructure:"OS_NAME,omitempty" json:"osName,omitempty"`

	// OsVersion is the version of the target runtime operating system environment
	OsVersion string `mapstructure:"OS_VERSION,omitempty" json:"osVersion,omitempty"`

	// Source refers to the origin repository of OpenJDK source
	Source string `mapstructure:"SOURCE,omitempty" json:"source,omitempty"`

	// BuildSource Git SHA of the build repository
	BuildSource string `mapstructure:"BUILD_SOURCE,omitempty" json:"buildSource,omitempty"`

	// BuildSourceRepo refers to rhe repository URL for the build source
	BuildSourceRepo string `mapstructure:"BUILD_SOURCE_REPO,omitempty" json:"buildSourceRepo,omitempty"`

	// SourceRepo refers to the OpenJDK repository URL
	SourceRepo string `mapstructure:"SOURCE_REPO,omitempty" json:"sourceRepo,omitempty"`

	// FullVersion is extracted from the 'java.runtime.version' JVM property
	FullVersion string `mapstructure:"FULL_VERSION,omitempty" json:"fullVersion,omitempty"`

	// SemanticVersion is derived from the OpenJDK version
	SemanticVersion string `mapstructure:"SEMANTIC_VERSION,omitempty" json:"semanticVersion,omitempty"`

	// BuildInfo contains additional build information
	BuildInfo string `mapstructure:"BUILD_INFO,omitempty" json:"buildInfo,omitempty"`

	// JvmVariant specifies the JVM variant (e.g., Hotspot or OpenJ9)
	JvmVariant string `mapstructure:"JVM_VARIANT,omitempty" json:"jvmVariant,omitempty"`

	// JvmVersion is extracted from the 'java.vm.version' JVM property
	JvmVersion string `mapstructure:"JVM_VERSION,omitempty" json:"jvmVersion,omitempty"`

	// ImageType can be 'JDK' or 'JRE'
	ImageType string `mapstructure:"IMAGE_TYPE,omitempty" json:"imageType,omitempty"`

	// BuildType can be 'commercial' (used in some older oracle JDK distributions)
	BuildType string `mapstructure:"BUILD_TYPE,omitempty" json:"buildType,omitempty"`
}

JavaVMRelease represents JVM version and build information extracted from the release file in a Java installation.

type KeyValue added in v0.104.0 

type KeyValue struct {
	// Key is the key name
	Key string `json:"key"`

	// Value is the value associated with the key
	Value string `json:"value"`
}

KeyValue represents a single key-value pair.

type KeyValues added in v0.104.0 

type KeyValues []KeyValue

KeyValues represents an ordered collection of key-value pairs that preserves insertion order.

func (KeyValues) Get added in v0.104.0 

func (k KeyValues) Get(key string) (string, bool)

func (KeyValues) MustGet added in v0.104.0 

func (k KeyValues) MustGet(key string) string

func (*KeyValues) UnmarshalJSON added in v0.104.0 

func (k *KeyValues) UnmarshalJSON(b []byte) error

type Language 

type Language string

Language represents a single programming language. 

const (
	// the full set of supported programming languages
	UnknownLanguage Language = ""
	CPP             Language = "c++"
	Dart            Language = "dart"
	Dotnet          Language = "dotnet"
	Elixir          Language = "elixir"
	Erlang          Language = "erlang"
	Go              Language = "go"
	Haskell         Language = "haskell"
	Java            Language = "java"
	JavaScript      Language = "javascript"
	Lua             Language = "lua"
	OCaml           Language = "ocaml"
	PHP             Language = "php"
	Python          Language = "python"
	R               Language = "R"
	Ruby            Language = "ruby"
	Rust            Language = "rust"
	Swift           Language = "swift"
	Swipl           Language = "swipl"
)

func LanguageByName added in v0.38.0 

func LanguageByName(name string) Language

func LanguageFromPURL added in v0.37.0 

func LanguageFromPURL(p string) Language

func (Language) String 

func (l Language) String() string

String returns the string representation of the language.

type License added in v0.81.0 

type License struct {
	// SPDXExpression is parsed SPDX license expression (e.g. "MIT OR Apache-2.0")
	SPDXExpression string

	// Value is original raw license string as found in metadata (e.g. "mit or apache-2")
	Value string

	// Type is classification of how this license was discovered (declared, concluded, etc.).
	// A Concluded License type is the license the SBOM creator believes governs the package (human crafted or altered SBOM).
	// The Declared License is what the authors of a project believe govern the package (this is the default type syft uses).
	Type license.Type

	// Contents is full license text if available. If a license is given as its full text in the
	// metadata rather than its value or SPDX expression, this field is used to represent that data.
	Contents string `hash:"ignore"`

	// URLs are the list of URLs where license information was found. These are ignored for uniqueness
	// since we merge these fields across equal licenses.
	URLs []string `hash:"ignore"`

	// Locations are the file locations where this license was discovered. These are ignored for uniqueness
	// since we merge these fields across equal licenses.
	Locations file.LocationSet `hash:"ignore"`
}

License represents an SPDX Expression or license value extracted from a package's metadata. A License is a unique combination of value, expression and type, where its sources are always considered merged and additions to the evidence of where it was found and how it was sourced. This is different from how we treat a package since we consider package paths in order to distinguish if packages should be kept separate. This is different for licenses since we're only looking for evidence of where a license was declared/concluded for a given package.

func NewLicense added in v0.81.0 

func NewLicense(value string) License

func NewLicenseFromFields added in v0.93.0 

func NewLicenseFromFields(value, url string, location *file.Location) License

func NewLicenseFromFieldsWithContext added in v1.24.0 

func NewLicenseFromFieldsWithContext(ctx context.Context, value, url string, location *file.Location) License

func NewLicenseFromLocations added in v0.81.0 

func NewLicenseFromLocations(value string, locations ...file.Location) License

func NewLicenseFromLocationsWithContext added in v1.24.0 

func NewLicenseFromLocationsWithContext(ctx context.Context, value string, locations ...file.Location) License

func NewLicenseFromType added in v0.81.0 

func NewLicenseFromType(value string, t license.Type) License

func NewLicenseFromTypeWithContext added in v1.24.0 

func NewLicenseFromTypeWithContext(ctx context.Context, value string, t license.Type) License

func NewLicenseFromURLs added in v0.81.0 

func NewLicenseFromURLs(value string, urls ...string) License

func NewLicenseFromURLsWithContext added in v1.24.0 

func NewLicenseFromURLsWithContext(ctx context.Context, value string, urls ...string) License

func NewLicenseWithContext added in v1.24.0 

func NewLicenseWithContext(ctx context.Context, value string) License

func NewLicensesFromLocation added in v0.81.0 

func NewLicensesFromLocation(location file.Location, values ...string) (licenses []License)

func NewLicensesFromLocationWithContext added in v1.24.0 

func NewLicensesFromLocationWithContext(ctx context.Context, location file.Location, values ...string) []License

func NewLicensesFromReadCloserWithContext added in v1.24.0 

func NewLicensesFromReadCloserWithContext(ctx context.Context, closer file.LocationReadCloser) []License

func NewLicensesFromValues added in v0.81.0 

func NewLicensesFromValues(values ...string) (licenses []License)

func NewLicensesFromValuesWithContext added in v1.24.0 

func NewLicensesFromValuesWithContext(ctx context.Context, values ...string) []License

func (License) Empty added in v1.24.0 

func (s License) Empty() bool

func (License) Merge added in v0.81.0 

func (s License) Merge(l License) (*License, error)

Merge two licenses into a new license object. If the merge is not possible due to unmergeable fields (e.g. different values for Value, SPDXExpression, Type, or any non-collection type) an error is returned. TODO: this is a bit of a hack to not infinitely recurse when hashing a license

type LicenseSet added in v0.81.0 

type LicenseSet struct {
	// contains filtered or unexported fields
}

func NewLicenseSet added in v0.81.0 

func NewLicenseSet(licenses ...License) (s LicenseSet)

func (*LicenseSet) Add added in v0.81.0 

func (s *LicenseSet) Add(licenses ...License)

func (LicenseSet) Empty added in v0.81.0 

func (s LicenseSet) Empty() bool

func (LicenseSet) Hash added in v0.81.0 

func (s LicenseSet) Hash() (uint64, error)

func (LicenseSet) ToSlice added in v0.81.0 

func (s LicenseSet) ToSlice(sorters ...func(a, b License) int) []License

func (LicenseSet) ToUnorderedSlice added in v1.24.0 

func (s LicenseSet) ToUnorderedSlice() []License

type Licenses added in v0.81.0 

type Licenses []License

Licenses is a sortable collection of License objects implementing sort.Interface.

func (Licenses) Len added in v0.81.0 

func (l Licenses) Len() int

func (Licenses) Less added in v0.81.0 

func (l Licenses) Less(i, j int) bool

func (Licenses) Swap added in v0.81.0 

func (l Licenses) Swap(i, j int)

type LinuxKernel added in v0.95.0 

type LinuxKernel struct {
	// Name is kernel name (typically "Linux")
	Name string `mapstructure:"name" json:"name" cyclonedx:"name"`

	// Architecture is the target CPU architecture
	Architecture string `mapstructure:"architecture" json:"architecture" cyclonedx:"architecture"`

	// Version is kernel version string
	Version string `mapstructure:"version" json:"version" cyclonedx:"version"`

	// ExtendedVersion is additional version information
	ExtendedVersion string `mapstructure:"extendedVersion" json:"extendedVersion,omitempty" cyclonedx:"extendedVersion"`

	// BuildTime is when the kernel was built
	BuildTime string `mapstructure:"buildTime" json:"buildTime,omitempty" cyclonedx:"buildTime"`

	// Author is who built the kernel
	Author string `mapstructure:"author" json:"author,omitempty" cyclonedx:"author"`

	// Format is kernel image format (e.g. bzImage, zImage)
	Format string `mapstructure:"format" json:"format,omitempty" cyclonedx:"format"`

	// RWRootFS is whether root filesystem is mounted read-write
	RWRootFS bool `mapstructure:"rwRootFS" json:"rwRootFS,omitempty" cyclonedx:"rwRootFS"`

	// SwapDevice is swap device number
	SwapDevice int `mapstructure:"swapDevice" json:"swapDevice,omitempty" cyclonedx:"swapDevice"`

	// RootDevice is root device number
	RootDevice int `mapstructure:"rootDevice" json:"rootDevice,omitempty" cyclonedx:"rootDevice"`

	// VideoMode is default video mode setting
	VideoMode string `mapstructure:"videoMode" json:"videoMode,omitempty" cyclonedx:"videoMode"`
}

LinuxKernel represents all captured data for a Linux kernel

type LinuxKernelModule added in v0.95.0 

type LinuxKernelModule struct {
	// Name is module name
	Name string `mapstructure:"name" json:"name,omitempty" cyclonedx:"name"`

	// Version is module version string
	Version string `mapstructure:"version" json:"version,omitempty" cyclonedx:"version"`

	// SourceVersion is the source code version identifier
	SourceVersion string `mapstructure:"sourceVersion" json:"sourceVersion,omitempty" cyclonedx:"sourceVersion"`

	// Path is the filesystem path to the .ko kernel object file (absolute path)
	Path string `mapstructure:"path" json:"path,omitempty" cyclonedx:"path"`

	// Description is a human-readable module description
	Description string `mapstructure:"description" json:"description,omitempty" cyclonedx:"description"`

	// Author is module author name and email
	Author string `mapstructure:"author" json:"author,omitempty" cyclonedx:"author"`

	// License is module license (e.g. GPL, BSD) which must be compatible with kernel
	License string `mapstructure:"license" json:"license,omitempty" cyclonedx:"license"`

	// KernelVersion is kernel version this module was built for
	KernelVersion string `mapstructure:"kernelVersion" json:"kernelVersion,omitempty" cyclonedx:"kernelVersion"`

	// VersionMagic is version magic string for compatibility checking (includes kernel version, SMP status, module loading capabilities like "3.17.4-302.fc21.x86_64 SMP mod_unload modversions"). Module will NOT load if vermagic doesn't match running kernel.
	VersionMagic string `mapstructure:"versionMagic" json:"versionMagic,omitempty" cyclonedx:"versionMagic"`

	// Parameters are the module parameters that can be configured at load time (user-settable values like module options)
	Parameters map[string]LinuxKernelModuleParameter `mapstructure:"parameters" json:"parameters,omitempty" cyclonedx:"parameters"`
}

LinuxKernelModule represents a loadable kernel module (.ko file) with its metadata, parameters, and dependencies.

type LinuxKernelModuleParameter added in v0.78.0 

type LinuxKernelModuleParameter struct {
	// Type is parameter data type (e.g. int, string, bool, array types)
	Type string `mapstructure:"type" json:"type,omitempty" cyclonedx:"type"`

	// Description is a human-readable parameter description explaining what the parameter controls
	Description string `mapstructure:"description" json:"description,omitempty" cyclonedx:"description"`
}

LinuxKernelModuleParameter represents a configurable parameter for a kernel module with its type and description.

type LuaRocksPackage added in v1.5.0 

type LuaRocksPackage struct {
	// Name is the package name as found in the .rockspec file
	Name string `json:"name"`

	// Version is the package version as found in the .rockspec file
	Version string `json:"version"`

	// License is license identifier
	License string `json:"license"`

	// Homepage is project homepage URL
	Homepage string `json:"homepage"`

	// Description is a human-readable package description
	Description string `json:"description"`

	// URL is the source download URL
	URL string `json:"url"`

	// Dependencies are the map of dependency names to version constraints
	Dependencies map[string]string `json:"dependencies"`
}

LuaRocksPackage represents a Lua package managed by the LuaRocks package manager with metadata from .rockspec files.

type MicrosoftKbPatch added in v0.95.0 

type MicrosoftKbPatch struct {
	// ProductID is MSRC Product ID (e.g. "Windows 10 Version 1703 for 32-bit Systems")
	ProductID string `toml:"product_id" json:"product_id"`

	// Kb is Knowledge Base article number (e.g. "5001028")
	Kb string `toml:"kb" json:"kb"`
}

MicrosoftKbPatch represents a Windows Knowledge Base patch identifier associated with a specific Microsoft product from the MSRC (Microsoft Security Response Center). This type captures both the product being patched and the KB article number for the update.

type NixDerivation added in v1.24.0 

type NixDerivation struct {
	// Path is path to the .drv file in Nix store
	Path string `mapstructure:"path" json:"path,omitempty"`

	// System is target system string indicating where derivation can be built (e.g. "x86_64-linux", "aarch64-darwin"). Must match current system for local builds.
	System string `mapstructure:"system" json:"system,omitempty"`

	// InputDerivations are the list of other derivations that were inputs to this build (dependencies)
	InputDerivations []NixDerivationReference `mapstructure:"inputDerivations" json:"inputDerivations,omitempty"`

	// InputSources are the list of source file paths that were inputs to this build
	InputSources []string `mapstructure:"inputSources" json:"inputSources,omitempty"`
}

NixDerivation represents a Nix .drv file that describes how to build a package including inputs, outputs, and build instructions.

type NixDerivationReference added in v1.24.0 

type NixDerivationReference struct {
	// Path is path to the referenced .drv file
	Path string `mapstructure:"path" json:"path,omitempty"`

	// Outputs are which outputs of the referenced derivation were used (e.g. ["out"], ["bin", "dev"])
	Outputs []string `mapstructure:"outputs" json:"outputs,omitempty"`
}

NixDerivationReference represents a reference to another derivation used as a build input or runtime dependency.

type NixStoreEntry added in v0.95.0 

type NixStoreEntry struct {
	// Path is full store path for this output (e.g. /nix/store/abc123...-package-1.0)
	Path string `mapstructure:"path" json:"path,omitempty"`

	// Output is the specific output name for multi-output packages (empty string for default "out" output, can be "bin", "dev", "doc", etc.)
	Output string `mapstructure:"output" json:"output,omitempty"`

	// OutputHash is hash prefix of the store path basename (first part before the dash)
	OutputHash string `mapstructure:"outputHash" json:"outputHash"`

	// Derivation is information about the .drv file that describes how this package was built
	Derivation NixDerivation `mapstructure:"derivation" json:"derivation,omitempty"`

	// Files are the list of files under the nix/store path for this package
	Files []string `mapstructure:"files" json:"files,omitempty"`
}

NixStoreEntry represents a package in the Nix store (/nix/store) with its derivation information and metadata.

func (NixStoreEntry) OwnedFiles added in v0.95.0 

func (m NixStoreEntry) OwnedFiles() (result []string)

type NpmPackage added in v0.95.0 

type NpmPackage struct {
	// Name is the package name as found in package.json
	Name string `mapstructure:"name" json:"name"`

	// Version is the package version as found in package.json
	Version string `mapstructure:"version" json:"version"`

	// Author is package author name
	Author string `mapstructure:"author" json:"author"`

	// Homepage is project homepage URL
	Homepage string `mapstructure:"homepage" json:"homepage"`

	// Description is a human-readable package description
	Description string `mapstructure:"description" json:"description"`

	// URL is repository or project URL
	URL string `mapstructure:"url" json:"url"`

	// Private is whether this is a private package
	Private bool `mapstructure:"private" json:"private"`
}

NpmPackage represents the contents of a javascript package.json file.

type NpmPackageLockEntry added in v0.95.0 

type NpmPackageLockEntry struct {
	// Resolved is URL where this package was downloaded from (registry source)
	Resolved string `mapstructure:"resolved" json:"resolved"`

	// Integrity is Subresource Integrity hash for verification using standard SRI format (sha512-... or sha1-...). npm changed from SHA-1 to SHA-512 in newer versions. For registry sources this is the integrity from registry, for remote tarballs it's SHA-512 of the file. npm verifies tarball matches this hash before unpacking, throwing EINTEGRITY error if mismatch detected.
	Integrity string `mapstructure:"integrity" json:"integrity"`

	// Dependencies is a map of dependencies and their version markers, i.e. "lodash": "^1.0.0"
	Dependencies map[string]string `mapstructure:"dependencies" json:"dependencies"`
}

NpmPackageLockEntry represents a single entry within the "packages" section of a package-lock.json file.

type OpamPackage added in v1.12.0 

type OpamPackage struct {
	// Name is the package name as found in the .opam file
	Name string `toml:"name" json:"name"`

	// Version is the package version as found in the .opam file
	Version string `toml:"version" json:"version"`

	// Licenses are the list of applicable licenses
	Licenses []string `mapstructure:"licenses" json:"licenses"`

	// URL is download URL for the package source
	URL string `mapstructure:"url" json:"url"`

	// Checksums are the list of checksums for verification
	Checksums []string `mapstructure:"checksums" json:"checksum"`

	// Homepage is project homepage URL
	Homepage string `json:"homepage"`

	// Dependencies are the list of required dependencies
	Dependencies []string `toml:"dependencies" json:"dependencies"`
}

OpamPackage represents an OCaml package managed by the OPAM package manager with metadata from .opam files.

type PEBinary added in v1.26.0 

type PEBinary struct {
	// VersionResources contains key-value pairs extracted from the PE file's version resource section (e.g., FileVersion, ProductName, CompanyName).
	VersionResources KeyValues
}

PEBinary represents metadata captured from a Portable Executable formatted binary (dll, exe, etc.)

type Package 

type Package struct {

	// Name is the package name
	Name string

	// Version is the package version
	Version string

	// FoundBy is the specific cataloger that discovered this package
	FoundBy string `hash:"ignore" cyclonedx:"foundBy"`

	// Locations are the locations that lead to the discovery of this package (note: not necessarily the locations that make up the package)
	Locations file.LocationSet

	// Licenses are the licenses discovered from the package metadata
	Licenses LicenseSet

	// Language is the language this package was written in (e.g. JavaScript, Python, etc)
	Language Language `hash:"ignore" cyclonedx:"language"`

	// Type is the ecosystem the package belongs to (e.g. Npm, Yarn, Python, Rpm, Deb, etc)
	Type Type `cyclonedx:"type"`

	// CPEs are all possible Common Platform Enumerators (note: NOT included in ID since derived from other fields)
	CPEs []cpe.CPE `hash:"ignore"`

	// PURL is the Package URL (see https://github.com/package-url/purl-spec)
	PURL string `hash:"ignore"`

	// Metadata is additional data found while parsing the package source
	Metadata any
	// contains filtered or unexported fields
}

Package represents an application or library that has been bundled into a distributable format. TODO: if we ignore FoundBy for ID generation should we merge the field to show it was found in two places?

func (Package) ID 

func (p Package) ID() artifact.ID

func (*Package) OverrideID added in v0.45.0 

func (p *Package) OverrideID(id artifact.ID)

func (*Package) SetID added in v0.33.0 

func (p *Package) SetID()

func (Package) String 

func (p Package) String() string

Stringer to represent a package.

type PhpComposerAuthors added in v0.36.0 

type PhpComposerAuthors struct {
	// Name is author's full name
	Name string `json:"name"`

	// Email is author's email address
	Email string `json:"email,omitempty"`

	// Homepage is author's personal or company website
	Homepage string `json:"homepage,omitempty"`
}

PhpComposerAuthors represents author information for a PHP Composer package from the authors field in composer.json.

type PhpComposerExternalReference added in v0.36.0 

type PhpComposerExternalReference struct {
	// Type is reference type (git for source VCS, zip/tar for dist archives)
	Type string `json:"type"`

	// URL is the URL to the resource (git repository URL or archive download URL)
	URL string `json:"url"`

	// Reference is git commit hash or version tag for source, or archive version for dist
	Reference string `json:"reference"`

	// Shasum is SHA hash of the archive file for integrity verification (dist only)
	Shasum string `json:"shasum,omitempty"`
}

PhpComposerExternalReference represents source or distribution information for a PHP package, indicating where the package code is retrieved from.

type PhpComposerInstalledEntry added in v0.95.0 

type PhpComposerInstalledEntry PhpComposerLockEntry

PhpComposerInstalledEntry represents a single package entry from a composer v1/v2 "installed.json" files (very similar to composer.lock files).

type PhpComposerLockEntry added in v0.95.0 

type PhpComposerLockEntry struct {
	// Name is package name in vendor/package format (e.g. symfony/console)
	Name string `json:"name"`

	// Version is the package version
	Version string `json:"version"`

	// Source is the source repository information for development (typically git repo, used when passing --prefer-source). Originates from source code repository.
	Source PhpComposerExternalReference `json:"source"`

	// Dist is distribution archive information for production (typically zip/tar, default install method). Packaged version of released code.
	Dist PhpComposerExternalReference `json:"dist"`

	// Require is runtime dependencies with version constraints (package will not install unless these requirements can be met)
	Require map[string]string `json:"require,omitempty"`

	// Provide is virtual packages/functionality provided by this package (allows other packages to depend on capabilities)
	Provide map[string]string `json:"provide,omitempty"`

	// RequireDev is development-only dependencies (not installed in production, only when developing this package or running tests)
	RequireDev map[string]string `json:"require-dev,omitempty"`

	// Suggest is optional but recommended dependencies (suggestions for packages that would extend functionality)
	Suggest map[string]string `json:"suggest,omitempty"`

	// License is the list of license identifiers (SPDX format)
	License []string `json:"license,omitempty"`

	// Type is package type indicating purpose (library=reusable code, project=application, metapackage=aggregates dependencies, etc.)
	Type string `json:"type,omitempty"`

	// NotificationURL is the URL to notify when package is installed (for tracking/statistics)
	NotificationURL string `json:"notification-url,omitempty"`

	// Bin is the list of binary/executable files that should be added to PATH
	Bin []string `json:"bin,omitempty"`

	// Authors are the list of package authors with name/email/homepage
	Authors []PhpComposerAuthors `json:"authors,omitempty"`

	// Description is a human-readable package description
	Description string `json:"description,omitempty"`

	// Homepage is project homepage URL
	Homepage string `json:"homepage,omitempty"`

	// Keywords are the list of keywords for package discovery/search
	Keywords []string `json:"keywords,omitempty"`

	// Time is timestamp when this package version was released
	Time string `json:"time,omitempty"`
}

PhpComposerLockEntry represents a single package entry found from a composer.lock file.

type PhpPearEntry added in v1.24.0 

type PhpPearEntry struct {
	// Name is the package name
	Name string `json:"name"`

	// Channel is PEAR channel this package is from
	Channel string `json:"channel,omitempty"`

	// Version is the package version
	Version string `json:"version"`

	// License is the list of applicable licenses
	License []string `json:"license,omitempty"`
}

PhpPearEntry represents a single package entry found within php pear metadata files.

type PhpPeclEntry deprecated added in v1.1.1 

type PhpPeclEntry PhpPearEntry

PhpPeclEntry represents a single package entry found within php pecl metadata files.

Deprecated: please use PhpPearEntry instead with the pear cataloger.

type PnpmLockEntry added in v1.38.0 

type PnpmLockEntry struct {
	// Resolution is the resolution information for the package
	Resolution PnpmLockResolution `mapstructure:"resolution" json:"resolution"`

	// Dependencies is a map of dependencies and their versions
	Dependencies map[string]string `mapstructure:"dependencies" json:"dependencies"`
}

PnpmLockEntry represents a single entry in the "packages" section of a pnpm-lock.yaml file.

type PnpmLockResolution added in v1.38.0 

type PnpmLockResolution struct {
	// Integrity is Subresource Integrity hash for verification (SRI format)
	Integrity string `mapstructure:"integrity" json:"integrity"`
}

PnpmLockResolution contains package resolution metadata from pnpm lockfiles, including the integrity hash used for verification.

type PortageEntry added in v0.95.0 

type PortageEntry struct {
	// InstalledSize is total size of installed files in bytes
	InstalledSize int `json:"installedSize" cyclonedx:"installedSize"`

	// Licenses is license string which may be an expression (e.g. "GPL-2 OR Apache-2.0")
	Licenses string `json:"licenses,omitempty"`

	// Files are the files installed by this package (tracked in CONTENTS file)
	Files []PortageFileRecord `json:"files"`
}

PortageEntry represents a single package entry in the portage DB flat-file store.

func (PortageEntry) OwnedFiles added in v0.95.0 

func (m PortageEntry) OwnedFiles() (result []string)

type PortageFileRecord added in v0.51.0 

type PortageFileRecord struct {
	// Path is the file path relative to the filesystem root
	Path string `json:"path"`

	// Digest is file content hash (MD5 for regular files in CONTENTS format: "obj filename md5hash mtime")
	Digest *file.Digest `json:"digest,omitempty"`
}

PortageFileRecord represents a single file attributed to a portage package.

type PythonDirectURLOriginInfo added in v0.34.0 

type PythonDirectURLOriginInfo struct {
	// URL is the source URL from which the package was installed.
	URL string `json:"url"`
	// CommitID is the VCS commit hash if installed from version control.
	CommitID string `json:"commitId,omitempty"`
	// VCS is the version control system type (e.g., "git", "hg").
	VCS string `json:"vcs,omitempty"`
}

PythonDirectURLOriginInfo represents installation source metadata from direct_url.json for packages installed from VCS or direct URLs.

type PythonFileDigest added in v0.8.0 

type PythonFileDigest struct {
	// Algorithm is the hash algorithm used (e.g., "sha256").
	Algorithm string `json:"algorithm"`
	// Value is the hex-encoded hash digest value.
	Value string `json:"value"`
}

PythonFileDigest represents the file metadata for a single file attributed to a python package.

type PythonFileRecord added in v0.4.0 

type PythonFileRecord struct {
	// Path is the installed file path from the RECORD file.
	Path string `json:"path"`
	// Digest contains the hash algorithm and value for file integrity verification.
	Digest *PythonFileDigest `json:"digest,omitempty"`
	// Size is the file size in bytes as a string.
	Size string `json:"size,omitempty"`
}

PythonFileRecord represents a single entry within a RECORD file for a python wheel or egg package

type PythonPackage added in v0.95.0 

type PythonPackage struct {
	// Name is the package name from the Name field in PKG-INFO or METADATA.
	Name string `json:"name" mapstructure:"Name"`
	// Version is the package version from the Version field in PKG-INFO or METADATA.
	Version string `json:"version" mapstructure:"Version"`
	// Author is the package author name from the Author field.
	Author string `json:"author" mapstructure:"Author"`
	// AuthorEmail is the package author's email address from the Author-Email field.
	AuthorEmail string `json:"authorEmail" mapstructure:"AuthorEmail"`
	// Platform indicates the target platform for the package (e.g., "any", "linux", "win32").
	Platform string `json:"platform" mapstructure:"Platform"`
	// Files are the installed files listed in the RECORD file for wheels or installed-files.txt for eggs.
	Files []PythonFileRecord `json:"files,omitempty"`
	// SitePackagesRootPath is the root directory path containing the package (e.g., "/usr/lib/python3.9/site-packages").
	SitePackagesRootPath string `json:"sitePackagesRootPath"`
	// TopLevelPackages are the top-level Python module names from top_level.txt file.
	TopLevelPackages []string `json:"topLevelPackages,omitempty"`
	// DirectURLOrigin contains VCS or direct URL installation information from direct_url.json.
	DirectURLOrigin *PythonDirectURLOriginInfo `json:"directUrlOrigin,omitempty"`
	// RequiresPython specifies the Python version requirement (e.g., ">=3.6").
	RequiresPython string `json:"requiresPython,omitempty" mapstructure:"RequiresPython"`
	// RequiresDist lists the package dependencies with version specifiers from Requires-Dist fields.
	RequiresDist []string `json:"requiresDist,omitempty" mapstructure:"RequiresDist"`
	// ProvidesExtra lists optional feature names that can be installed via extras (e.g., "dev", "test").
	ProvidesExtra []string `json:"providesExtra,omitempty" mapstructure:"ProvidesExtra"`
}

PythonPackage represents all captured data for a python egg or wheel package (specifically as outlined in the PyPA core metadata specification https://packaging.python.org/en/latest/specifications/core-metadata/). Historically these were defined in PEPs 345, 314, and 241, but have been superseded by PEP 566. This means that this struct can (partially) express at least versions 1.0, 1.1, 1.2, 2.1, 2.2, and 2.3 of the metadata format.

func (PythonPackage) OwnedFiles added in v0.95.0 

func (m PythonPackage) OwnedFiles() (result []string)

type PythonPdmFileEntry added in v1.38.0 

type PythonPdmFileEntry struct {
	// URL is the file download URL
	URL string `mapstructure:"url" json:"url"`
	// Digest is the hash digest of the file hosted at the URL
	Digest PythonFileDigest `mapstructure:"hash" json:"digest"`
}

type PythonPdmLockEntry added in v1.35.0 

type PythonPdmLockEntry struct {
	// Summary provides a description of the package
	Summary string `mapstructure:"summary" json:"summary"`
	// Files are the package files with their paths and hash digests (for the base package without extras)
	Files []PythonPdmFileEntry `mapstructure:"files" json:"files"`
	// Marker is the "environment" --conditional expressions that determine whether a package should be installed based on the runtime environment
	Marker string `mapstructure:"marker" json:"marker,omitempty"`
	// RequiresPython specifies the Python version requirement (e.g., ">=3.6").
	RequiresPython string `mapstructure:"RequiresPython" json:"requiresPython,omitempty" `
	// Dependencies are the dependency specifications for the base package (without extras)
	Dependencies []string `mapstructure:"dependencies" json:"dependencies,omitempty"`
	// Extras contains variants for different extras combinations (PDM may have multiple entries per package)
	Extras []PythonPdmLockExtraVariant `json:"extras,omitempty"`
}

PythonPdmLockEntry represents a single package entry within a pdm.lock file.

type PythonPdmLockExtraVariant added in v1.38.0 

type PythonPdmLockExtraVariant struct {
	// Extras are the optional extras enabled for this variant (e.g., ["toml"], ["dev"], or ["toml", "dev"])
	Extras []string `json:"extras"`
	// Dependencies are the dependencies specific to this extras variant
	Dependencies []string `json:"dependencies,omitempty"`
	// Files are the package files specific to this variant (only populated if different from base)
	Files []PythonPdmFileEntry `json:"files,omitempty"`
	// Marker is the environment conditional expression for this variant (e.g., "python_version < \"3.11\"")
	Marker string `json:"marker,omitempty"`
}

PythonPdmLockExtraVariant represents a specific extras combination variant within a PDM lock file. PDM creates separate package entries for different extras combinations; this struct captures those variants.

type PythonPipfileLockEntry added in v0.95.0 

type PythonPipfileLockEntry struct {
	// Hashes are the package file hash values in the format "algorithm:digest" for integrity verification.
	Hashes []string `mapstructure:"hashes" json:"hashes"`
	// Index is the PyPI index name where the package should be fetched from.
	Index string `mapstructure:"index" json:"index"`
}

PythonPipfileLockEntry represents a single package entry within a Pipfile.lock file.

type PythonPoetryLockDependencyEntry added in v1.6.0 

type PythonPoetryLockDependencyEntry struct {
	// Name is the dependency package name.
	Name string `json:"name"`
	// Version is the locked version or version constraint for the dependency.
	Version string `json:"version"`
	// Optional indicates whether this dependency is optional (only needed for certain extras).
	Optional bool `json:"optional"`
	// Markers are environment marker expressions that conditionally enable the dependency (e.g., "python_version >= '3.8'").
	Markers string `json:"markers,omitempty"`
	// Extras are the optional feature names from the dependency that should be installed.
	Extras []string `json:"extras,omitempty"`
}

PythonPoetryLockDependencyEntry represents a single dependency entry within a Poetry lock file.

type PythonPoetryLockEntry added in v0.104.0 

type PythonPoetryLockEntry struct {
	// Index is the package repository name where the package should be fetched from.
	Index string `mapstructure:"index" json:"index"`
	// Dependencies are the package's runtime dependencies with version constraints.
	Dependencies []PythonPoetryLockDependencyEntry `json:"dependencies"`
	// Extras are optional feature groups that include additional dependencies.
	Extras []PythonPoetryLockExtraEntry `json:"extras,omitempty"`
}

PythonPoetryLockEntry represents a single package entry within a Pipfile.lock file.

type PythonPoetryLockExtraEntry added in v1.6.0 

type PythonPoetryLockExtraEntry struct {
	// Name is the optional feature name (e.g., "dev", "test").
	Name string `json:"name"`
	// Dependencies are the package names required when this extra is installed.
	Dependencies []string `json:"dependencies"`
}

PythonPoetryLockExtraEntry represents an optional feature group in a Poetry lock file.

type PythonRequirementsEntry added in v0.95.0 

type PythonRequirementsEntry struct {
	// Name is the package name from the requirements file.
	Name string `json:"name" mapstructure:"Name"`
	// Extras are the optional features to install from the package (e.g., package[dev,test]).
	Extras []string `json:"extras,omitempty" mapstructure:"Extras"`
	// VersionConstraint specifies version requirements (e.g., ">=1.0,<2.0").
	VersionConstraint string `json:"versionConstraint" mapstructure:"VersionConstraint"`
	// URL is the direct download URL or VCS URL if specified instead of a PyPI package.
	URL string `json:"url,omitempty" mapstructure:"URL"`
	// Markers are environment marker expressions for conditional installation (e.g., "python_version >= '3.8'").
	Markers string `json:"markers,omitempty" mapstructure:"Markers"`
}

PythonRequirementsEntry represents a single entry within a [*-]requirements.txt file.

type PythonUvLockDependencyEntry added in v1.29.0 

type PythonUvLockDependencyEntry struct {
	// Name is the dependency package name.
	Name string `json:"name"`
	// Optional indicates whether this dependency is optional (only needed for certain extras).
	Optional bool `json:"optional"`
	// Markers are environment marker expressions that conditionally enable the dependency (e.g., "python_version >= '3.8'").
	Markers string `json:"markers,omitempty"`
	// Extras are the optional feature names from the dependency that should be installed.
	Extras []string `json:"extras,omitempty"`
}

PythonUvLockDependencyEntry represents a single dependency entry within a uv lock file.

type PythonUvLockEntry added in v1.29.0 

type PythonUvLockEntry struct {
	// Index is the package repository name where the package should be fetched from.
	Index string `mapstructure:"index" json:"index"`
	// Dependencies are the package's runtime dependencies with version constraints.
	Dependencies []PythonUvLockDependencyEntry `json:"dependencies"`
	// Extras are optional feature groups that include additional dependencies.
	Extras []PythonUvLockExtraEntry `json:"extras,omitempty"`
}

PythonUvLockEntry represents a single package entry within a uv.lock file.

type PythonUvLockExtraEntry added in v1.29.0 

type PythonUvLockExtraEntry struct {
	// Name is the optional feature name (e.g., "dev", "test").
	Name string `json:"name"`
	// Dependencies are the package names required when this extra is installed.
	Dependencies []string `json:"dependencies"`
}

PythonUvLockExtraEntry represents an optional feature group in a uv lock file.

type RDescription added in v0.95.0 

type RDescription struct {
	// Title is short one-line package title
	Title string `json:"title,omitempty"`

	// Description is detailed package description
	Description string `json:"description,omitempty"`

	// Author is package author(s)
	Author string `json:"author,omitempty"`

	// Maintainer is current package maintainer
	Maintainer string `json:"maintainer,omitempty"`

	// URL is the list of related URLs
	URL []string `json:"url,omitempty"`

	// Repository is CRAN or other repository name
	Repository string `json:"repository,omitempty"`

	// Built is R version and platform this was built with
	Built string `json:"built,omitempty"`

	// NeedsCompilation is whether this package requires compilation
	NeedsCompilation bool `json:"needsCompilation,omitempty"`

	// Imports are the packages imported in the NAMESPACE
	Imports []string `json:"imports,omitempty"`

	// Depends are the packages this package depends on
	Depends []string `json:"depends,omitempty"`

	// Suggests are the optional packages that extend functionality
	Suggests []string `json:"suggests,omitempty"`
}

RDescription represents metadata from an R package DESCRIPTION file containing package information, dependencies, and author details.

type RpmArchive added in v0.95.0 

type RpmArchive RpmDBEntry

RpmArchive represents package metadata extracted directly from a .rpm archive file, containing the same information as an RPM database entry.

type RpmDBEntry added in v0.95.0 

type RpmDBEntry struct {
	// Name is the RPM package name as found in the RPM database.
	Name string `json:"name"`

	// Version is the upstream version of the package.
	Version string `json:"version"`

	// Epoch is the version epoch used to force upgrade ordering (null if not set).
	Epoch *int `json:"epoch"  cyclonedx:"epoch" jsonschema:"nullable"`

	// Arch is the target CPU architecture (e.g., "x86_64", "aarch64", "noarch").
	Arch string `json:"architecture"`

	// Release is the package release number or distribution-specific version suffix.
	Release string `json:"release" cyclonedx:"release"`

	// SourceRpm is the source RPM filename that was used to build this package.
	SourceRpm string `json:"sourceRpm" cyclonedx:"sourceRpm"`

	// Signatures contains GPG signature metadata for package verification.
	Signatures []RpmSignature `json:"signatures,omitempty" cyclonedx:"signatures"`

	// Size is the total installed size of the package in bytes.
	Size int `json:"size" cyclonedx:"size"`

	// Vendor is the organization that packaged the software.
	Vendor string `json:"vendor"`

	// ModularityLabel identifies the module stream for modular RPM packages (e.g., "nodejs:12:20200101").
	ModularityLabel *string `json:"modularityLabel,omitempty" cyclonedx:"modularityLabel"`

	// Provides lists the virtual packages and capabilities this package provides.
	Provides []string `json:"provides,omitempty"`

	// Requires lists the dependencies required by this package.
	Requires []string `json:"requires,omitempty"`

	// Files are the file records for all files owned by this package.
	Files []RpmFileRecord `json:"files"`
}

RpmDBEntry represents all captured data from a RPM DB package entry.

func (RpmDBEntry) OwnedFiles added in v0.95.0 

func (m RpmDBEntry) OwnedFiles() (result []string)

type RpmFileMode added in v0.95.0 

type RpmFileMode uint16

RpmFileMode is the raw file mode for a single file. This can be interpreted as the linux stat.h mode (see https://pubs.opengroup.org/onlinepubs/007908799/xsh/sysstat.h.html)

type RpmFileRecord added in v0.95.0 

type RpmFileRecord struct {
	// Path is the absolute file path where the file is installed.
	Path string `json:"path"`

	// Mode is the file permission mode bits following Unix stat.h conventions.
	Mode RpmFileMode `json:"mode"`

	// Size is the file size in bytes.
	Size int `json:"size"`

	// Digest contains the hash algorithm and value for file integrity verification.
	Digest file.Digest `json:"digest"`

	// UserName is the owner username for the file.
	UserName string `json:"userName"`

	// GroupName is the group name for the file.
	GroupName string `json:"groupName"`

	// Flags indicates the file type (e.g., "%config", "%doc", "%ghost").
	Flags string `json:"flags"`
}

RpmFileRecord represents the file metadata for a single file attributed to a RPM package.

type RpmSignature added in v1.25.0 

type RpmSignature struct {
	// PublicKeyAlgorithm is the public key algorithm used for signing (e.g., "RSA").
	PublicKeyAlgorithm string `json:"algo"`

	// HashAlgorithm is the hash algorithm used for the signature (e.g., "SHA256").
	HashAlgorithm string `json:"hash"`

	// Created is the timestamp when the signature was created.
	Created string `json:"created"`

	// IssuerKeyID is the GPG key ID that created the signature.
	IssuerKeyID string `json:"issuer"`
}

RpmSignature represents a GPG signature for an RPM package used for authenticity verification.

func (RpmSignature) String added in v1.25.0 

func (s RpmSignature) String() string

type RubyGemspec added in v0.95.0 

type RubyGemspec struct {
	// Name is gem name as specified in the gemspec
	Name string `mapstructure:"name" json:"name"`

	// Version is gem version as specified in the gemspec
	Version string `mapstructure:"version" json:"version"`

	// Files is logical list of files in the gem (NOT directly usable as filesystem paths. Example: bundler gem lists "lib/bundler/vendor/uri/lib/uri/ldap.rb" but actual path is "/usr/local/lib/ruby/3.2.0/bundler/vendor/uri/lib/uri/ldap.rb". Would need gem installation path, ruby version, and env vars like GEM_HOME to resolve actual paths.)
	Files []string `mapstructure:"files" json:"files,omitempty"`

	// Authors are the list of gem authors (stored as array regardless of using `author` or `authors` method in gemspec)
	Authors []string `mapstructure:"authors" json:"authors,omitempty"`

	// Homepage is project homepage URL
	Homepage string `mapstructure:"homepage" json:"homepage,omitempty"`
}

RubyGemspec represents all metadata parsed from the *.gemspec file

type RustBinaryAuditEntry added in v0.95.0 

type RustBinaryAuditEntry struct {
	// Name is crate name as specified in audit section of the build binary
	Name string `toml:"name" json:"name"`

	// Version is crate version as specified in audit section of the build binary
	Version string `toml:"version" json:"version"`

	// Source is the source registry or repository where this crate came from
	Source string `toml:"source" json:"source"`
}

RustBinaryAuditEntry represents Rust crate metadata extracted from a compiled binary using cargo-auditable format.

type RustCargoLockEntry added in v0.95.0 

type RustCargoLockEntry struct {
	// Name is crate name as specified in Cargo.toml
	Name string `toml:"name" json:"name"`

	// Version is crate version as specified in Cargo.toml
	Version string `toml:"version" json:"version"`

	// Source is the source registry or repository URL in format "registry+https://github.com/rust-lang/crates.io-index" for registry packages
	Source string `toml:"source" json:"source"`

	// Checksum is content checksum for registry packages only (hexadecimal string). Cargo doesn't require or include checksums for git dependencies. Used to detect MITM attacks by verifying downloaded crate matches lockfile checksum.
	Checksum string `toml:"checksum" json:"checksum"`

	// Dependencies are the list of dependencies with version constraints
	Dependencies []string `toml:"dependencies" json:"dependencies"`
}

RustCargoLockEntry represents a locked dependency from a Cargo.lock file with precise version and checksum information.

type SnapEntry added in v1.34.0 

type SnapEntry struct {
	// SnapType indicates the snap type (base, kernel, app, gadget, or snapd).
	SnapType string `json:"snapType" yaml:"snapType"` // base, kernel, system, gadget, snapd

	// Base is the base snap name that this snap depends on (e.g., "core20", "core22").
	Base string `json:"base" yaml:"base"` // base snap name (e.g., core20, core22)

	// SnapName is the snap package name.
	SnapName string `json:"snapName" yaml:"snapName"` // name of the snap

	// SnapVersion is the snap package version.
	SnapVersion string `json:"snapVersion" yaml:"snapVersion"` // version of the snap

	// Architecture is the target CPU architecture (e.g., "amd64", "arm64").
	Architecture string `json:"architecture" yaml:"architecture"` // architecture (amd64, arm64, etc.)

}

SnapEntry represents metadata for a Snap package extracted from snap.yaml or snapcraft.yaml files.

type SwiftPackageManagerResolvedEntry added in v0.95.0 

type SwiftPackageManagerResolvedEntry struct {
	// Revision is git commit hash of the resolved package
	Revision string `mapstructure:"revision" json:"revision"`
}

SwiftPackageManagerResolvedEntry represents a resolved dependency from a Package.resolved file with its locked version and source location.

type SwiplPackEntry added in v1.11.0 

type SwiplPackEntry struct {
	// Name is the package name as found in the .toml file
	Name string `toml:"name" json:"name"`

	// Version is the package version as found in the .toml file
	Version string `toml:"version" json:"version"`

	// Author is author name
	Author string `json:"author" mapstructure:"Author"`

	// AuthorEmail is author email address
	AuthorEmail string `json:"authorEmail" mapstructure:"AuthorEmail"`

	// Packager is packager name (if different from author)
	Packager string `json:"packager" mapstructure:"Packager"`

	// PackagerEmail is packager email address
	PackagerEmail string `json:"packagerEmail" mapstructure:"PackagerEmail"`

	// Homepage is project homepage URL
	Homepage string `json:"homepage"`

	// Dependencies are the list of required dependencies
	Dependencies []string `toml:"dependencies" json:"dependencies"`
}

SwiplPackEntry represents a SWI-Prolog package from the pack system with metadata about the package and its dependencies.

type TerraformLockProviderEntry added in v1.19.0 

type TerraformLockProviderEntry struct {
	// URL is the provider source address (e.g., "registry.terraform.io/hashicorp/aws").
	URL string `hcl:",label" json:"url"`
	// Constraints specifies the version constraints for the provider (e.g., "~> 4.0").
	Constraints string `hcl:"constraints,optional" json:"constraints"`
	// Version is the locked provider version selected during terraform init.
	Version string `hcl:"version" json:"version"`
	// Hashes are cryptographic checksums for the provider plugin archives across different platforms.
	Hashes []string `hcl:"hashes" json:"hashes"`
}

TerraformLockProviderEntry represents a single provider entry in a Terraform dependency lock file (.terraform.lock.hcl).

type Type 

type Type string

Type represents a Package Type for or within a language ecosystem (there may be multiple package types within a language ecosystem) 

const (
	// the full set of supported packages
	UnknownPkg              Type = "UnknownPackage"
	AlpmPkg                 Type = "alpm"
	ApkPkg                  Type = "apk"
	BinaryPkg               Type = "binary"
	BitnamiPkg              Type = "bitnami"
	CocoapodsPkg            Type = "pod"
	ConanPkg                Type = "conan"
	CondaPkg                Type = "conda"
	DartPubPkg              Type = "dart-pub"
	DebPkg                  Type = "deb"
	DotnetPkg               Type = "dotnet"
	ErlangOTPPkg            Type = "erlang-otp"
	GemPkg                  Type = "gem"
	GithubActionPkg         Type = "github-action"
	GithubActionWorkflowPkg Type = "github-action-workflow"
	GoModulePkg             Type = "go-module"
	GraalVMNativeImagePkg   Type = "graalvm-native-image"
	HackagePkg              Type = "hackage"
	HexPkg                  Type = "hex"
	JavaPkg                 Type = "java-archive"
	JenkinsPluginPkg        Type = "jenkins-plugin"
	KbPkg                   Type = "msrc-kb"
	LinuxKernelPkg          Type = "linux-kernel"
	LinuxKernelModulePkg    Type = "linux-kernel-module"
	NixPkg                  Type = "nix"
	NpmPkg                  Type = "npm"
	OpamPkg                 Type = "opam"
	PhpComposerPkg          Type = "php-composer"
	PhpPeclPkg              Type = "php-pecl" // Deprecated: will be removed in syft v2.0
	PhpPearPkg              Type = "php-pear"
	PortagePkg              Type = "portage"
	PythonPkg               Type = "python"
	Rpkg                    Type = "R-package"
	LuaRocksPkg             Type = "lua-rocks"
	RpmPkg                  Type = "rpm"
	RustPkg                 Type = "rust-crate"
	SwiftPkg                Type = "swift"
	SwiplPackPkg            Type = "swiplpack"
	TerraformPkg            Type = "terraform"
	WordpressPluginPkg      Type = "wordpress-plugin"
	HomebrewPkg             Type = "homebrew"
	ModelPkg                Type = "model"
)

func TypeByName added in v0.38.0 

func TypeByName(name string) Type

func TypeFromPURL added in v0.37.0 

func TypeFromPURL(p string) Type

func (Type) PackageURLType 

func (t Type) PackageURLType() string

PackageURLType returns the PURL package type for the current package.

func (Type) String added in v1.37.0 

func (t Type) String() string

type WordpressPluginEntry added in v0.105.0 

type WordpressPluginEntry struct {
	// PluginInstallDirectory is directory name where the plugin is installed
	PluginInstallDirectory string `mapstructure:"pluginInstallDirectory" json:"pluginInstallDirectory"`

	// Author is plugin author name
	Author string `mapstructure:"author" json:"author,omitempty"`

	// AuthorURI is author's website URL
	AuthorURI string `mapstructure:"authorUri" json:"authorUri,omitempty"`
}

WordpressPluginEntry represents all metadata parsed from the wordpress plugin file

type YarnLockEntry added in v0.104.0 

type YarnLockEntry struct {
	// Resolved is URL where this package was downloaded from
	Resolved string `mapstructure:"resolved" json:"resolved"`

	// Integrity is Subresource Integrity hash for verification (SRI format)
	Integrity string `mapstructure:"integrity" json:"integrity"`

	// Dependencies is a map of dependencies and their versions
	Dependencies map[string]string `mapstructure:"dependencies" json:"dependencies"`
}

YarnLockEntry represents a single entry section of a yarn.lock file.

Source Files

View all Source files

Directories

Path Synopsis
ai
Package ai provides concrete Cataloger implementations for AI artifacts and machine learning models, including support for GGUF (GPT-Generated Unified Format) model files.
 Package ai provides concrete Cataloger implementations for AI artifacts and machine learning models, including support for GGUF (GPT-Generated Unified Format) model files.
alpine
Package alpine provides a concrete Cataloger implementations for packages relating to the Alpine linux distribution.
 Package alpine provides a concrete Cataloger implementations for packages relating to the Alpine linux distribution.
arch
Package arch provides a concrete Cataloger implementations for packages relating to the Arch linux distribution.
 Package arch provides a concrete Cataloger implementations for packages relating to the Arch linux distribution.
binary
Package binary provides a concrete cataloger implementations for surfacing possible packages based on signatures found within binary files.
 Package binary provides a concrete cataloger implementations for surfacing possible packages based on signatures found within binary files.
binary/test-fixtures/manager command
binary/test-fixtures/manager/internal
binary/test-fixtures/manager/internal/cli
binary/test-fixtures/manager/internal/cli/commands
binary/test-fixtures/manager/internal/config
binary/test-fixtures/manager/internal/ui
binary/test-fixtures/manager/testutil
bitnami
Package bitnami provides a concrete Cataloger implementation for capturing packages embedded within Bitnami SBOM files.
 Package bitnami provides a concrete Cataloger implementation for capturing packages embedded within Bitnami SBOM files.
common/cpe
conda
Package conda provides a concrete Cataloger implementation for packages within the Conda ecosystem.
 Package conda provides a concrete Cataloger implementation for packages within the Conda ecosystem.
cpp
Package cpp provides a concrete Cataloger implementations for the C/C++ language ecosystem.
 Package cpp provides a concrete Cataloger implementations for the C/C++ language ecosystem.
dart
Package dart provides a concrete Cataloger implementations for the Dart language ecosystem.
 Package dart provides a concrete Cataloger implementations for the Dart language ecosystem.
debian
Package debian provides a concrete Cataloger implementation relating to packages within the Debian linux distribution.
 Package debian provides a concrete Cataloger implementation relating to packages within the Debian linux distribution.
dotnet
elixir
Package elixir provides a concrete Cataloger implementation relating to packages within the Elixir language ecosystem.
 Package elixir provides a concrete Cataloger implementation relating to packages within the Elixir language ecosystem.
erlang
Package erlang provides concrete Catalogers implementation relating to packages within the Erlang language ecosystem.
 Package erlang provides concrete Catalogers implementation relating to packages within the Erlang language ecosystem.
generic
gentoo
Package gentoo provides a concrete Cataloger implementation related to packages within the Gentoo linux ecosystem.
 Package gentoo provides a concrete Cataloger implementation related to packages within the Gentoo linux ecosystem.
githubactions
Package githubactions provides a concrete Cataloger implementation for GitHub Actions packages (both actions and workflows).
 Package githubactions provides a concrete Cataloger implementation for GitHub Actions packages (both actions and workflows).
golang
Package golang provides a concrete Cataloger implementation relating to packages within the Go language ecosystem.
 Package golang provides a concrete Cataloger implementation relating to packages within the Go language ecosystem.
golang/internal/xcoff
haskell
Package haskell provides a concrete Cataloger implementation relating to packages within the Haskell language ecosystem.
 Package haskell provides a concrete Cataloger implementation relating to packages within the Haskell language ecosystem.
homebrew
internal/binutils
internal/cpegenerate
internal/cpegenerate/dictionary
internal/cpegenerate/dictionary/index-generator command
This program fetches CPE data from the NVD Products API and processes it into a JSON file that can be embedded into Syft for more accurate CPE results.
 This program fetches CPE data from the NVD Products API and processes it into a JSON file that can be embedded into Syft for more accurate CPE results.
internal/dependency
internal/licenses
internal/pe
internal/pkgtest
Package pkgtest provides test helpers for cataloger and parser testing, including automatic observation tracking for capability documentation.
 Package pkgtest provides test helpers for cataloger and parser testing, including automatic observation tracking for capability documentation.
java
Package java provides a concrete Cataloger implementation for packages relating to the Java language ecosystem.
 Package java provides a concrete Cataloger implementation for packages relating to the Java language ecosystem.
java/internal/maven
java/internal/maven/test
javascript
Package javascript provides a concrete Cataloger implementation for packages relating to the JavaScript language ecosystem.
 Package javascript provides a concrete Cataloger implementation for packages relating to the JavaScript language ecosystem.
kernel
Package kernel provides a concrete Cataloger implementation for linux kernel and module files.
 Package kernel provides a concrete Cataloger implementation for linux kernel and module files.
lua
Package lua provides a concrete Cataloger implementation for packages relating to the Lua language ecosystem.
 Package lua provides a concrete Cataloger implementation for packages relating to the Lua language ecosystem.
nix
Package nix provides a concrete Cataloger implementation for packages within the Nix packaging ecosystem.
 Package nix provides a concrete Cataloger implementation for packages within the Nix packaging ecosystem.
ocaml
Package ocaml provides a concrete Cataloger implementation for packages relating to the OCaml language ecosystem.
 Package ocaml provides a concrete Cataloger implementation for packages relating to the OCaml language ecosystem.
php
Package php provides a concrete Cataloger implementation relating to packages within the PHP language ecosystem.
 Package php provides a concrete Cataloger implementation relating to packages within the PHP language ecosystem.
python
Package python provides a concrete Cataloger implementation relating to packages within the Python language ecosystem.
 Package python provides a concrete Cataloger implementation relating to packages within the Python language ecosystem.
r
Package r provides a concrete Cataloger implementation relating to packages within the R language ecosystem.
 Package r provides a concrete Cataloger implementation relating to packages within the R language ecosystem.
redhat
Package redhat provides a concrete DBCataloger implementation relating to packages within the RedHat linux distribution.
 Package redhat provides a concrete DBCataloger implementation relating to packages within the RedHat linux distribution.
ruby
Package ruby provides a concrete Cataloger implementation relating to packages within the Ruby language ecosystem.
 Package ruby provides a concrete Cataloger implementation relating to packages within the Ruby language ecosystem.
rust
Package rust provides a concrete Cataloger implementation relating to packages within the Rust language ecosystem.
 Package rust provides a concrete Cataloger implementation relating to packages within the Rust language ecosystem.
sbom
Package sbom provides a concrete Cataloger implementation for capturing packages embedded within SBOM files.
 Package sbom provides a concrete Cataloger implementation for capturing packages embedded within SBOM files.
snap
Package snap provides a concrete Cataloger implementation for snap packages, extracting metadata from different types of snap files (base, kernel, system/gadget, snapd) rather than just scanning the filesystem.
 Package snap provides a concrete Cataloger implementation for snap packages, extracting metadata from different types of snap files (base, kernel, system/gadget, snapd) rather than just scanning the filesystem.
swift
Package swift provides a concrete Cataloger implementation relating to packages within the swift language ecosystem.
 Package swift provides a concrete Cataloger implementation relating to packages within the swift language ecosystem.
swipl
Package swipl provides a Cataloger implementation relating to packages within the SWI Prolog language ecosystem.
 Package swipl provides a Cataloger implementation relating to packages within the SWI Prolog language ecosystem.
terraform
wordpress

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.