Add cataloger for Erlang OTP applications

Signed-off-by: Laurent Goderre <[email protected]>
anchore · Dec 7, 2023 · b3535e9 · b3535e9
1 parent 6fb153e
commit b3535e9
Show file tree

Hide file tree

Showing 14 changed files with 200 additions and 6 deletions.
diff --git a/syft/internal/packagemetadata/generated.go b/syft/internal/packagemetadata/generated.go
@@ -19,6 +19,7 @@ func AllTypes() []any {
 		pkg.DotnetPortableExecutableEntry{},
 		pkg.DpkgDBEntry{},
 		pkg.ElixirMixLockEntry{},
+		pkg.ErlangOTPApplication{},
 		pkg.ErlangRebarLockEntry{},
 		pkg.GolangBinaryBuildinfoEntry{},
 		pkg.GolangModuleEntry{},

diff --git a/syft/internal/packagemetadata/names.go b/syft/internal/packagemetadata/names.go
@@ -93,6 +93,7 @@ var jsonTypes = makeJSONTypes(
 	jsonNames(pkg.PythonPipfileLockEntry{}, "python-pipfile-lock-entry", "PythonPipfileLockMetadata"),
 	jsonNames(pkg.PythonRequirementsEntry{}, "python-pip-requirements-entry", "PythonRequirementsMetadata"),
 	jsonNames(pkg.ErlangRebarLockEntry{}, "erlang-rebar-lock-entry", "RebarLockMetadataType"),
+	jsonNames(pkg.ErlangOTPApplication{}, "erlang-otp-application", "OTPApplicationMetadataType"),
 	jsonNames(pkg.RDescription{}, "r-description", "RDescriptionFileMetadataType"),
 	jsonNames(pkg.RpmDBEntry{}, "rpm-db-entry", "RpmMetadata", "RpmdbMetadata"),
 	jsonNamesWithoutLookup(pkg.RpmArchive{}, "rpm-archive", "RpmMetadata"), // the legacy value is split into two types, where the other is preferred

diff --git a/syft/internal/packagemetadata/names_test.go b/syft/internal/packagemetadata/names_test.go
@@ -205,6 +205,11 @@ func TestReflectTypeFromJSONName_LegacyValues(t *testing.T) {
 			input:    "RebarLockMetadataType",
 			expected: reflect.TypeOf(pkg.ErlangRebarLockEntry{}),
 		},
+		{
+			name:     "map pkg.ErlangOTPApplication struct type",
+			input:    "OTPApplicationMetadataType",
+			expected: reflect.TypeOf(pkg.ErlangOTPApplication{}),
+		},
 		{
 			name:     "map pkg.RDescription struct type",
 			input:    "RDescriptionFileMetadataType",
@@ -444,6 +449,12 @@ func Test_JSONName_JSONLegacyName(t *testing.T) {
 			expectedJSONName:   "erlang-rebar-lock-entry",
 			expectedLegacyName: "RebarLockMetadataType",
 		},
+		{
+			name:               "OTPApplicationMetadata",
+			metadata:           pkg.ErlangOTPApplication{},
+			expectedJSONName:   "erlang-otp-application",
+			expectedLegacyName: "OTPApplicationMetadataType",
+		},
 		{
 			name:               "RDescriptionFileMetadata",
 			metadata:           pkg.RDescription{},

diff --git a/syft/pkg/cataloger/cataloger.go b/syft/pkg/cataloger/cataloger.go
@@ -48,6 +48,7 @@ func ImageCatalogers(cfg Config) []pkg.Cataloger {
 		cpp.NewConanInfoCataloger(),
 		debian.NewDBCataloger(),
 		dotnet.NewDotnetPortableExecutableCataloger(),
+		erlang.NewOTPCataloger(),
 		golang.NewGoModuleBinaryCataloger(cfg.Golang),
 		java.NewArchiveCataloger(cfg.JavaConfig()),
 		java.NewNativeImageCataloger(),
@@ -76,6 +77,7 @@ func DirectoryCatalogers(cfg Config) []pkg.Cataloger {
 		dotnet.NewDotnetPortableExecutableCataloger(),
 		elixir.NewMixLockCataloger(),
 		erlang.NewRebarLockCataloger(),
+		erlang.NewOTPCataloger(),
 		githubactions.NewActionUsageCataloger(),
 		githubactions.NewWorkflowUsageCataloger(),
 		golang.NewGoModuleFileCataloger(cfg.Golang),
@@ -115,6 +117,7 @@ func AllCatalogers(cfg Config) []pkg.Cataloger {
 		dotnet.NewDotnetPortableExecutableCataloger(),
 		elixir.NewMixLockCataloger(),
 		erlang.NewRebarLockCataloger(),
+		erlang.NewOTPCataloger(),
 		githubactions.NewActionUsageCataloger(),
 		githubactions.NewWorkflowUsageCataloger(),
 		golang.NewGoModuleFileCataloger(cfg.Golang),

diff --git a/syft/pkg/cataloger/cataloger_test.go b/syft/pkg/cataloger/cataloger_test.go
@@ -35,6 +35,7 @@ func Test_filterCatalogers(t *testing.T) {
 		"dotnet-deps-cataloger",
 		"elixir-mix-lock-cataloger",
 		"erlang-rebar-lock-cataloger",
+		"erlang-otp-application-cataloger",
 		"go-module-file-cataloger",
 		"go-module-binary-cataloger",
 		"haskell-cataloger",

diff --git a/syft/pkg/cataloger/erlang/cataloger.go b/syft/pkg/cataloger/erlang/cataloger.go
@@ -1,5 +1,5 @@
 /*
-Package erlang provides a concrete Cataloger implementation relating to packages within the Erlang language ecosystem.
+Package erlang provides concrete Catalogers implementation relating to packages within the Erlang language ecosystem.
 */
 package erlang
 
@@ -13,3 +13,8 @@ func NewRebarLockCataloger() pkg.Cataloger {
 	return generic.NewCataloger("erlang-rebar-lock-cataloger").
 		WithParserByGlobs(parseRebarLock, "**/rebar.lock")
 }
+
+func NewOTPCataloger() pkg.Cataloger {
+	return generic.NewCataloger("erlang-otp-application-cataloger").
+		WithParserByGlobs(parseOTPApp, "**/*.app")
+}
diff --git a/syft/pkg/cataloger/erlang/cataloger_test.go b/syft/pkg/cataloger/erlang/cataloger_test.go
@@ -6,7 +6,7 @@ import (
 	"github.com/anchore/syft/syft/pkg/cataloger/internal/pkgtest"
 )
 
-func TestCataloger_Globs(t *testing.T) {
+func TestCatalogerRebar_Globs(t *testing.T) {
 	tests := []struct {
 		name     string
 		fixture  string
@@ -30,3 +30,28 @@ func TestCataloger_Globs(t *testing.T) {
 		})
 	}
 }
+
+func TestCatalogerOTP_Globs(t *testing.T) {
+	tests := []struct {
+		name     string
+		fixture  string
+		expected []string
+	}{
+		{
+			name:    "obtain OTP resource files",
+			fixture: "test-fixtures/glob-paths",
+			expected: []string{
+				"src/rabbitmq.app",
+			},
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			pkgtest.NewCatalogTester().
+				FromDirectory(t, test.fixture).
+				ExpectsResolverContentQueries(test.expected).
+				TestCataloger(t, NewOTPCataloger())
+		})
+	}
+}
diff --git a/syft/pkg/cataloger/erlang/package.go b/syft/pkg/cataloger/erlang/package.go
@@ -6,13 +6,13 @@ import (
 	"github.com/anchore/syft/syft/pkg"
 )
 
-func newPackage(d pkg.ErlangRebarLockEntry, locations ...file.Location) pkg.Package {
+func newPackageFromRebar(d pkg.ErlangRebarLockEntry, locations ...file.Location) pkg.Package {
 	p := pkg.Package{
 		Name:      d.Name,
 		Version:   d.Version,
 		Language:  pkg.Erlang,
 		Locations: file.NewLocationSet(locations...),
-		PURL:      packageURL(d),
+		PURL:      packageURLFromRebar(d),
 		Type:      pkg.HexPkg,
 		Metadata:  d,
 	}
@@ -22,7 +22,7 @@ func newPackage(d pkg.ErlangRebarLockEntry, locations ...file.Location) pkg.Pack
 	return p
 }
 
-func packageURL(m pkg.ErlangRebarLockEntry) string {
+func packageURLFromRebar(m pkg.ErlangRebarLockEntry) string {
 	var qualifiers packageurl.Qualifiers
 
 	return packageurl.NewPackageURL(
@@ -34,3 +34,32 @@ func packageURL(m pkg.ErlangRebarLockEntry) string {
 		"",
 	).ToString()
 }
+
+func newPackageFromOTP(d pkg.ErlangOTPApplication, locations ...file.Location) pkg.Package {
+	p := pkg.Package{
+		Name:      d.Name,
+		Version:   d.Version,
+		Language:  pkg.Erlang,
+		Locations: file.NewLocationSet(locations...),
+		PURL:      packageURLFromOTP(d),
+		Type:      pkg.UnknownPkg,
+		Metadata:  d,
+	}
+
+	p.SetID()
+
+	return p
+}
+
+func packageURLFromOTP(m pkg.ErlangOTPApplication) string {
+	var qualifiers packageurl.Qualifiers
+
+	return packageurl.NewPackageURL(
+		packageurl.TypeGeneric,
+		"",
+		m.Name,
+		m.Version,
+		qualifiers,
+		"",
+	).ToString()
+}
diff --git a/syft/pkg/cataloger/erlang/parse_otp_app.go b/syft/pkg/cataloger/erlang/parse_otp_app.go
@@ -0,0 +1,47 @@
+package erlang
+
+import (
+	"github.com/anchore/syft/syft/artifact"
+	"github.com/anchore/syft/syft/file"
+	"github.com/anchore/syft/syft/pkg"
+	"github.com/anchore/syft/syft/pkg/cataloger/generic"
+)
+
+// parseRebarLock parses a rebar.lock and returns the discovered Elixir packages.
+//
+//nolint:funlen
+func parseOTPApp(_ file.Resolver, _ *generic.Environment, reader file.LocationReadCloser) ([]pkg.Package, []artifact.Relationship, error) {
+	doc, err := parseErlang(reader)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	var packages []pkg.Package
+
+	root := doc.Get(0)
+
+	name := root.Get(1).String()
+
+	keys := root.Get(2)
+
+	for _, key := range keys.Slice() {
+		if key.Get(0).String() == "vsn" {
+			version := key.Get(1).String()
+
+			p := newPackageFromOTP(
+				pkg.ErlangOTPApplication{
+					Name:    name,
+					Version: version,
+				},
+				reader.Location.WithAnnotation(pkg.EvidenceAnnotationKey, pkg.PrimaryEvidenceAnnotation),
+			)
+
+			packages = append(packages, p)
+		}
+	}
+
+	return packages, nil, nil
+}
+
+// integrity check
+var _ generic.Parser = parseOTPApp
diff --git a/syft/pkg/cataloger/erlang/parse_otp_app_test.go b/syft/pkg/cataloger/erlang/parse_otp_app_test.go
@@ -0,0 +1,47 @@
+package erlang
+
+import (
+	"testing"
+
+	"github.com/anchore/syft/syft/artifact"
+	"github.com/anchore/syft/syft/file"
+	"github.com/anchore/syft/syft/pkg"
+	"github.com/anchore/syft/syft/pkg/cataloger/internal/pkgtest"
+)
+
+func TestParseOTPApplication(t *testing.T) {
+	tests := []struct {
+		fixture  string
+		expected []pkg.Package
+	}{
+		{
+			fixture: "test-fixtures/rabbitmq.app",
+			expected: []pkg.Package{
+				{
+					Name:     "rabbit",
+					Version:  "3.12.10",
+					Language: pkg.Erlang,
+					Type:     pkg.UnknownPkg,
+					PURL:     "pkg:generic/[email protected]",
+					Metadata: pkg.ErlangOTPApplication{
+						Name:    "rabbit",
+						Version: "3.12.10",
+					},
+				},
+			},
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.fixture, func(t *testing.T) {
+			// TODO: relationships are not under test
+			var expectedRelationships []artifact.Relationship
+
+			for idx := range test.expected {
+				test.expected[idx].Locations = file.NewLocationSet(file.NewLocation(test.fixture))
+			}
+
+			pkgtest.TestFileParser(t, test.fixture, parseOTPApp, test.expected, expectedRelationships)
+		})
+	}
+}
diff --git a/syft/pkg/cataloger/erlang/parse_rebar_lock.go b/syft/pkg/cataloger/erlang/parse_rebar_lock.go
@@ -48,7 +48,7 @@ func parseRebarLock(_ file.Resolver, _ *generic.Environment, reader file.Locatio
 			version = versionNode.Get(2).Get(1).String()
 		}
 
-		p := newPackage(
+		p := newPackageFromRebar(
 			pkg.ErlangRebarLockEntry{
 				Name:    name,
 				Version: version,

diff --git a/syft/pkg/cataloger/erlang/test-fixtures/glob-paths/src/rabbitmq.app b/syft/pkg/cataloger/erlang/test-fixtures/glob-paths/src/rabbitmq.app
@@ -0,0 +1 @@
+bogus erlang file
diff --git a/syft/pkg/cataloger/erlang/test-fixtures/rabbitmq.app b/syft/pkg/cataloger/erlang/test-fixtures/rabbitmq.app
@@ -0,0 +1,18 @@
+{application, 'rabbit', [
+	{description, "RabbitMQ"},
+	{vsn, "3.12.10"},
+	{id, "v3.12.9-9-g1f61ca8"},
+	{modules, ['amqqueue','background_gc']},
+	{optional_applications, []},
+	{env, [
+	    {memory_monitor_interval, 2500},
+	    {disk_free_limit, 50000000}, %% 50MB
+	    {msg_store_index_module, rabbit_msg_store_ets_index},
+	    {backing_queue_module, rabbit_variable_queue},
+	    %% 0 ("no limit") would make a better default, but that
+	    %% breaks the QPid Java client
+	    {frame_max, 131072},
+	    %% see rabbitmq-server#1593
+	    {channel_max, 2047}
+	  ]}
+]}.
diff --git a/syft/pkg/erlang.go b/syft/pkg/erlang.go
@@ -7,3 +7,8 @@ type ErlangRebarLockEntry struct {
 	PkgHash    string `mapstructure:"pkgHash" json:"pkgHash"`
 	PkgHashExt string `mapstructure:"pkgHashExt" json:"pkgHashExt"`
 }
+
+type ErlangOTPApplication struct {
+	Name    string `mapstructure:"name" json:"name"`
+	Version string `mapstructure:"version" json:"version"`
+}