Skip to content

Vcpkg Cataloger #4081

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 19 commits into
base: main
Choose a base branch
from
Open

Vcpkg Cataloger #4081

wants to merge 19 commits into from
+5,614 −12

Conversation

@gabetrau
Copy link

Support C++ package manager Vcpkg

Questions I have

  • vcpkg has "Port versions" these get added to the end of the version if they are 1 or above. They are separated by a hashtag ex. 1.0.2#1. I add the combined version to the PURL. Is it okay to have '#' in a PURL? Also this issue is relevant to PURL
  • If there is no VCPKG_ROOT env variable set, I'm currently looking at the vcpkg cache to see if the info needed is in the git directory stored there. To do this I use the cache manager and then relative to that, I retrieve the folder for the vcpkg cache. Is this allowed?
  • Some of the fields in VcpkgManifest are already in the Pkg struct, for example name and version. Is this allowed? or do I need to make sure it's only included once.

Other Comments I have

  • Vcpkg uses git internal git tree objects in order to fetch dependencies, so to hunt down information I relied heavily on go-git. I wanted to make sure I was getting as much relevant data as possible, and the files in the vcpkg build directory on their own didn't seem to work.
  • This is my first large (at least to me it's large) open source PR, so I'd love feedback on how I can improve.

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (please discuss with the team first; Syft is 1.0 software and we won't accept breaking changes without going to 2.0)
  • Documentation (updates the documentation)
  • Chore (improve the developer experience, fix a test flake, etc, without changing the visible behavior of Syft)
  • Performance (make Syft run faster or use less memory, without changing visible behavior much)

Checklist:

  • I have added unit tests that cover changed behavior
  • I have tested my code in common scenarios and confirmed there are no regressions
  • I have added comments to my code, particularly in hard-to-understand sections

@github-actions github-actions bot added the json-schema Changes the json schema label Jul 24, 2025
@gabetrau gabetrau force-pushed the vcpkg branch 2 times, most recently from db250f0 to 95fdbef Compare July 29, 2025 02:44
wagoodman
wagoodman reviewed Jul 31, 2025
View reviewed changes
syft/pkg/cataloger/cpp/test-fixtures/vcpkg/helloworld/build/HelloWorld Outdated
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks like a binary was committed -- is this necessary?

wagoodman
wagoodman reviewed Jul 31, 2025
View reviewed changes
...r/cpp/test-fixtures/vcpkg/helloworld/build/CMakeFiles/3.28.3/CMakeDetermineCompilerABI_C.bin Outdated
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

bin committed, but probably not needed

wagoodman
wagoodman reviewed Jul 31, 2025
View reviewed changes
...cpp/test-fixtures/vcpkg/helloworld/build/CMakeFiles/3.28.3/CMakeDetermineCompilerABI_CXX.bin Outdated
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

bin committed, but probably not needed

wagoodman
wagoodman reviewed Jul 31, 2025
View reviewed changes
...ataloger/cpp/test-fixtures/vcpkg/helloworld/build/CMakeFiles/HelloWorld.dir/helloworld.cpp.o Outdated
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

bin committed, but probably not needed

wagoodman
wagoodman reviewed Jul 31, 2025
View reviewed changes
...loger/cpp/test-fixtures/vcpkg/helloworld/build/vcpkg_installed/x64-linux/debug/lib/libfmtd.a Outdated
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

large binary -- should not be committed

wagoodman
wagoodman reviewed Jul 31, 2025
View reviewed changes
...kg/cataloger/cpp/test-fixtures/vcpkg/helloworld/build/vcpkg_installed/x64-linux/lib/libfmt.a Outdated
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

bin committed, but probably not needed

wagoodman
wagoodman reviewed Jul 31, 2025
View reviewed changes
syft/pkg/cataloger/cpp/test-fixtures/vcpkg/helloworld/build/.ninja_deps Outdated
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

bin committed, but probably not needed

@wagoodman
Copy link
Contributor

@gabetrau from our conversation in office hours, feel free to open a PR to https://github.com/anchore/vcpkg-test-fixture for any of the test fixtures you need. If you get a PR going that has at least the test fixtures in place , we can then get a ghcr.io image in that repo created that encapsulates any build processes if we need it. Even if there are no build processes we might still capture this as an image so we can test against the container image, which is a common pattern in testing (the pattern may need tweaking to account for the external image).

@gabetrau
Copy link
Author

gabetrau commented Aug 1, 2025
edited
Loading

@gabetrau from our conversation in office hours, feel free to open a PR to https://github.com/anchore/vcpkg-test-fixture for any of the test fixtures you need. If you get a PR going that has at least the test fixtures in place , we can then get a ghcr.io image in that repo created that encapsulates any build processes if we need it. Even if there are no build processes we might still capture this as an image so we can test against the container image, which is a common pattern in testing (the pattern may need tweaking to account for the external image).

@wagoodman It might be simpler if we make the vcpkg-test-fixture repo a custom vcpkg registry. Then I can just enable git clone for the test and remove all of the unneeded files from the helloworld example. vcpkg-test-fixture. I updated this PR to use the custom one. Would this route be okay, or would you still prefer the ghcr.io image route?

Also, I'm having trouble making a PR to https://github.com/anchore/vcpkg-test-fixture since it is empty

@spiffcs
Copy link
Contributor

spiffcs commented Aug 13, 2025

I've kicked off the checks on this one but since @wagoodman already has some context here no need to add more cooks to the kitchen.

@gabetrau gabetrau force-pushed the vcpkg branch 2 times, most recently from 63f3521 to 600d986 Compare August 21, 2025 03:48
@github-actions github-actions bot removed the json-schema Changes the json schema label Aug 21, 2025
@github-actions github-actions bot added the json-schema Changes the json schema label Aug 21, 2025
gabetrau added 12 commits August 28, 2025 10:30
@gabetrau
Vcpkg cataloger for vcpkg "Manifest Mode"
31deba9 
Find and parse vcpkg-lock.json to get HEAD commit hash

Signed-off-by: Gabriel Rau <[email protected]>
@gabetrau
just use local vcpkg git repo if it exists, clone it if it doesn't
be66ca7 
Signed-off-by: Gabriel Rau <[email protected]>
@gabetrau
Config opt for git remote clones for vcpkg and README update
772cb9f 
Signed-off-by: Gabriel Rau <[email protected]>
@gabetrau
Look in vcpkg cache git repo for custom git repos
702cf77 
Signed-off-by: Gabriel Rau <[email protected]>
@gabetrau
add triplet to metadata and support overlay-ports from config file
4c119e8 
Signed-off-by: Gabriel Rau <[email protected]>
@gabetrau
Add PURL to packages (not sure if this is correct)
d53febc 
Signed-off-by: Gabriel Rau <[email protected]>
@gabetrau
flatten structs in pkg module and move vcpkg structs to resolver
d0c001f 
Signed-off-by: Gabriel Rau <[email protected]>
@gabetrau
account for overriden versions in toplevel manifest
4740cff 
Signed-off-by: Gabriel Rau <[email protected]>
@gabetrau
generate json schema for vcpkg metadata
89959a2 
Signed-off-by: Gabriel Rau <[email protected]>
@gabetrau
test for basic vcpkg project
1e09a22 
dependencies for vcpkg registry to be pulled in

add tree hashes and use correct git hash in builtin-baseline for helloworld test

vcpkg-registry for testing that uses object hashes from syft repo

fix broken tests

Signed-off-by: Gabriel Rau <[email protected]>
@gabetrau
formatting
2d7ddf2 
Signed-off-by: Gabriel Rau <[email protected]>
@gabetrau
fix static-analysis violations
8e742ce 
Signed-off-by: Gabriel Rau <[email protected]>
@houdini91
Copy link
Contributor

Thanks for doing this i was looking in to vcpkg cataloger my self recently thankfully you one step ahead

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wagoodman wagoodman wagoodman left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

json-schema Changes the json schema

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support for vcpkg

4 participants

@gabetrau @wagoodman @spiffcs @houdini91