strip down syft format code

go.mod

@@ -5,21 +5,17 @@ go 1.16
 require (
 	github.com/BurntSushi/toml v1.2.1
 	github.com/Masterminds/semver/v3 v3.2.0
-	github.com/anchore/go-testutils v0.0.0-20200925183923-d5f45b0d3c04
 	github.com/anchore/go-version v1.2.2-0.20200701162849-18adb9c92b9b
 	github.com/anchore/packageurl-go v0.1.1-0.20220428202044-a072fa3cb6d7
-	github.com/anchore/stereoscope v0.0.0-20221208011002-c5ff155d72f1
 	github.com/anchore/syft v0.65.0
 	github.com/apex/log v1.1.4
 	github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5
 	github.com/gabriel-vasile/mimetype v1.4.1
-	github.com/google/go-cmp v0.5.9
 	github.com/google/uuid v1.3.0
 	github.com/onsi/gomega v1.24.2
 	github.com/pelletier/go-toml v1.9.5
 	github.com/sclevine/spec v1.4.0
 	github.com/scylladb/go-set v1.0.3-0.20200225121959-cc7b2070d91e
-	github.com/sergi/go-diff v1.2.0
 	github.com/spdx/tools-golang v0.3.1-0.20221108182156-8a01147e6342
 	github.com/stretchr/testify v1.8.1
 	github.com/ulikunitz/xz v0.5.11

sbom/internal/formats/syft2/README.md

@@ -7,3 +7,5 @@ of Syft that supports Syft JSON Schema 2.0.2.
 The implementations of `decoder` and `validator` have been omitted for
 simplicity, since they are not required for buildpacks' SBOM generation.
 
+Aspects of the model have been copied over due to slight deviations against the
+latest Syft JSON model.

sbom/internal/formats/syft2/model/document.go

@@ -1,15 +1,17 @@
 package model
 
+import "github.com/anchore/syft/syft/formats/syftjson/model"
+
 // Document represents the syft cataloging findings as a JSON document
 type Document struct {
-	Artifacts             []Package      `json:"artifacts"` // Artifacts is the list of packages discovered and placed into the catalog
-	ArtifactRelationships []Relationship `json:"artifactRelationships"`
-	Files                 []File         `json:"files,omitempty"`   // note: must have omitempty
-	Secrets               []Secrets      `json:"secrets,omitempty"` // note: must have omitempty
-	Source                Source         `json:"source"`            // Source represents the original object that was cataloged
-	Distro                Distro         `json:"distro"`            // Distro represents the Linux distribution that was detected from the source
-	Descriptor            Descriptor     `json:"descriptor"`        // Descriptor is a block containing self-describing information about syft
-	Schema                Schema         `json:"schema"`            // Schema is a block reserved for defining the version for the shape of this JSON document and where to find the schema document to validate the shape
+	Artifacts             []Package            `json:"artifacts"` // Artifacts is the list of packages discovered and placed into the catalog
+	ArtifactRelationships []model.Relationship `json:"artifactRelationships"`
+	Files                 []model.File         `json:"files,omitempty"`   // note: must have omitempty
+	Secrets               []model.Secrets      `json:"secrets,omitempty"` // note: must have omitempty
+	Source                Source               `json:"source"`            // Source represents the original object that was cataloged
+	Distro                Distro               `json:"distro"`            // Distro represents the Linux distribution that was detected from the source
+	Descriptor            model.Descriptor     `json:"descriptor"`        // Descriptor is a block containing self-describing information about syft
+	Schema                model.Schema         `json:"schema"`            // Schema is a block reserved for defining the version for the shape of this JSON document and where to find the schema document to validate the shape
 }
 
 // Descriptor describes what created the document as well as surrounding metadata

sbom/internal/formats/syft2/to_format_model.go

@@ -13,22 +13,23 @@ import (
 
 	"github.com/anchore/syft/syft/sbom"
 
+	"github.com/anchore/syft/syft/formats/syftjson/model"
 	"github.com/anchore/syft/syft/pkg"
 	"github.com/anchore/syft/syft/source"
-	"github.com/paketo-buildpacks/packit/v2/sbom/internal/formats/syft2/model"
+	internalmodel "github.com/paketo-buildpacks/packit/v2/sbom/internal/formats/syft2/model"
 	syft2source "github.com/paketo-buildpacks/packit/v2/sbom/internal/formats/syft2/source"
 )
 
 // NOTE: Adaptions have been added to functions in this file to translate from latest
 // syft package representations to legacy JSON schema
 
-func ToFormatModel(s sbom.SBOM) model.Document {
+func ToFormatModel(s sbom.SBOM) internalmodel.Document {
 	src, err := toSourceModel(s.Source)
 	if err != nil { //nolint:staticcheck
 		// log.Warnf("unable to create syft-json source object: %+v", err)
 	}
 
-	return model.Document{
+	return internalmodel.Document{
 		Artifacts:             toPackageModels(s.Artifacts.PackageCatalog),
 		ArtifactRelationships: toRelationshipModel(s.Relationships),
 		Files:                 toFile(s),
@@ -124,8 +125,8 @@ func toFileMetadataEntry(coordinates source.Coordinates, metadata *source.FileMe
 	}
 }
 
-func toPackageModels(catalog *pkg.Catalog) []model.Package {
-	artifacts := make([]model.Package, 0)
+func toPackageModels(catalog *pkg.Catalog) []internalmodel.Package {
+	artifacts := make([]internalmodel.Package, 0)
 	if catalog == nil {
 		return artifacts
 	}
@@ -136,7 +137,7 @@ func toPackageModels(catalog *pkg.Catalog) []model.Package {
 }
 
 // toPackageModel crates a new Package from the given pkg.Package.
-func toPackageModel(p pkg.Package) model.Package {
+func toPackageModel(p pkg.Package) internalmodel.Package {
 	var cpes = make([]string, len(p.CPEs))
 	for i, c := range p.CPEs {
 		cpes[i] = cpe.String(c)
@@ -153,8 +154,8 @@ func toPackageModel(p pkg.Package) model.Package {
 		coordinates[i] = l.Coordinates
 	}
 
-	return model.Package{
-		PackageBasicData: model.PackageBasicData{
+	return internalmodel.Package{
+		PackageBasicData: internalmodel.PackageBasicData{
 			ID:        string(p.ID()),
 			Name:      p.Name,
 			Version:   p.Version,
@@ -166,7 +167,7 @@ func toPackageModel(p pkg.Package) model.Package {
 			CPEs:      cpes,
 			PURL:      p.PURL,
 		},
-		PackageCustomData: model.PackageCustomData{
+		PackageCustomData: internalmodel.PackageCustomData{
 			MetadataType: p.MetadataType,
 			Metadata:     p.Metadata,
 		},
@@ -189,35 +190,35 @@ func toRelationshipModel(relationships []artifact.Relationship) []model.Relation
 // toSourceModel creates a new source object to be represented into JSON.
 // NOTE: THIS FUNCTION is NOT identical to the one that appears in the original version of this file.
 // It converts ImageMetadata into a struct that matches the old Syft schema.
-func toSourceModel(src source.Metadata) (model.Source, error) {
+func toSourceModel(src source.Metadata) (internalmodel.Source, error) {
 	switch src.Scheme {
 	case source.ImageScheme:
-		return model.Source{
+		return internalmodel.Source{
 			Type: "image",
 			// convert src.ImageMetadata into a struct with the old syft metadata fields
 			Target: syft2source.ConvertImageMetadata(src.ImageMetadata),
 		}, nil
 	case source.DirectoryScheme:
-		return model.Source{
+		return internalmodel.Source{
 			Type:   "directory",
 			Target: src.Path,
 		}, nil
 	case source.FileScheme:
-		return model.Source{
+		return internalmodel.Source{
 			Type:   "file",
 			Target: src.Path,
 		}, nil
 	default:
-		return model.Source{}, fmt.Errorf("unsupported source: %q", src.Scheme)
+		return internalmodel.Source{}, fmt.Errorf("unsupported source: %q", src.Scheme)
 	}
 }
 
 // // toDistroModel creates a struct with the Linux distribution to be represented in JSON.
 // NOTE: THIS FUNCTION is NOT identical to the one that appears in the original version of this file.
 // It now converts from a linux.Release to a model.Distro to maintain backward compatibility.
-func toDistroModel(d *linux.Release) model.Distro {
+func toDistroModel(d *linux.Release) internalmodel.Distro {
 	if d == nil {
-		return model.Distro{}
+		return internalmodel.Distro{}
 	}
 
 	idLike := d.ID
@@ -226,7 +227,7 @@ func toDistroModel(d *linux.Release) model.Distro {
 		idLike = d.IDLike[0]
 	}
 
-	return model.Distro{
+	return internalmodel.Distro{
 		Name:    d.ID,
 		Version: d.Version,
 		IDLike:  idLike,

sbom/internal/formats/syft301/README.md

@@ -7,3 +7,5 @@ of Syft that supports Syft JSON Schema 3.0.1.
 The implementations of `decoder` and `validator` have been omitted for
 simplicity, since they are not required for buildpacks' SBOM generation.
 
+Aspects of the model have been copied over due to slight deviations against the
+latest Syft JSON model.

sbom/internal/formats/syft301/model/document.go

@@ -1,15 +1,17 @@
 package model
 
+import "github.com/anchore/syft/syft/formats/syftjson/model"
+
 // Document represents the syft cataloging findings as a JSON document
 type Document struct {
-	Artifacts             []Package      `json:"artifacts"` // Artifacts is the list of packages discovered and placed into the catalog
-	ArtifactRelationships []Relationship `json:"artifactRelationships"`
-	Files                 []File         `json:"files,omitempty"`   // note: must have omitempty
-	Secrets               []Secrets      `json:"secrets,omitempty"` // note: must have omitempty
-	Source                Source         `json:"source"`            // Source represents the original object that was cataloged
-	Distro                LinuxRelease   `json:"distro"`            // Distro represents the Linux distribution that was detected from the source
-	Descriptor            Descriptor     `json:"descriptor"`        // Descriptor is a block containing self-describing information about syft
-	Schema                Schema         `json:"schema"`            // Schema is a block reserved for defining the version for the shape of this JSON document and where to find the schema document to validate the shape
+	Artifacts             []model.Package      `json:"artifacts"` // Artifacts is the list of packages discovered and placed into the catalog
+	ArtifactRelationships []model.Relationship `json:"artifactRelationships"`
+	Files                 []model.File         `json:"files,omitempty"`   // note: must have omitempty
+	Secrets               []model.Secrets      `json:"secrets,omitempty"` // note: must have omitempty
+	Source                Source               `json:"source"`            // Source represents the original object that was cataloged
+	Distro                model.LinuxRelease   `json:"distro"`            // Distro represents the Linux distribution that was detected from the source
+	Descriptor            model.Descriptor     `json:"descriptor"`        // Descriptor is a block containing self-describing information about syft
+	Schema                model.Schema         `json:"schema"`            // Schema is a block reserved for defining the version for the shape of this JSON document and where to find the schema document to validate the shape
 }
 
 // Descriptor describes what created the document as well as surrounding metadata