Skip to content

Add internal cataloger capability descriptions #4317

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 14 commits into
base: main
Choose a base branch
from
Draft

Add internal cataloger capability descriptions #4317

wants to merge 14 commits into from
+16,637 −40

Conversation

@wagoodman
Copy link
Contributor

This adds the ability, when SYFT_EXP_CAPABILITIES=true, to use an internal syft cataloger info command to describe cataloger capabilities such as:

  • what catalogers exist
  • what globs / evidence are searched for
  • if a cataloger finds licenses
  • if a cataloger detects particular package manager claims (listing of files, digests, package integrity hash)
  • what dependencies (if any) can be detected (depth of nodes, topology of the edges, and kinds of dependencies included)
  • what API and app-level configurations exist for each cataloger

This is available via an ascii table and JSON output.

Caution

This is an experimental feature and can change without warning and could be removed entirely. Do not depend on this command in production.

The way the capabilities are tracked is described in depth in the internal tooling's readme.

A quick summary is that we use the source code and test observations as a basis for what catalogers exist, how they are configured, and what they output. These things are then used to cross-validate a pseudo-generated packages.yaml (some auto generated items, some manually filled in items) with a set of completion tests (tests that ensure the full universe of things are defined and self-consistent) and then used to drive the cataloger info command.

@wagoodman
add info command from generated capabilities
1510db7 
Signed-off-by: Alex Goodman <[email protected]>
@wagoodman
correct gentoo and arch ecosystems
a92efd5 
Signed-off-by: Alex Goodman <[email protected]>
@wagoodman
rename os pkg types
02f61ab 
Signed-off-by: Alex Goodman <[email protected]>
@wagoodman
better binary cataloger description
95ba1b0 
Signed-off-by: Alex Goodman <[email protected]>
@wagoodman
expose metadata and pacakge types in json
de111f4 
Signed-off-by: Alex Goodman <[email protected]>
@wagoodman
expose json schema types
63832e5 
Signed-off-by: Alex Goodman <[email protected]>
@wagoodman
add completeness tests for metadata types
5d182ec 
Signed-off-by: Alex Goodman <[email protected]>
@wagoodman
latest generation
abfe73b 
Signed-off-by: Alex Goodman <[email protected]>
@wagoodman
fix linting
0dd906b 
Signed-off-by: Alex Goodman <[email protected]>
@wagoodman
improve testing a docs
d651245 
Signed-off-by: Alex Goodman <[email protected]>
@wagoodman
fix tests and linting
16fb680 
Signed-off-by: Alex Goodman <[email protected]>
@wagoodman
restore goreleaser config
c3e196b 
Signed-off-by: Alex Goodman <[email protected]>
@wagoodman
Merge remote-tracking branch 'origin/main' into ast-parse-cataloger-c…
4a2d94b 
…apabilities

Signed-off-by: Alex Goodman <[email protected]>
@wagoodman wagoodman added the changelog-ignore Don't include this issue in the release changelog label Oct 29, 2025
@wagoodman wagoodman mentioned this pull request Oct 29, 2025
Merged
@wagoodman
tweak diagram
a97e1c6 
Signed-off-by: Alex Goodman <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

changelog-ignore Don't include this issue in the release changelog

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@wagoodman