pkg/sca: add static:lib<name> provides and dependency tracking#2471
Open
smoser wants to merge 5 commits intochainguard-dev:mainfrom
Open
pkg/sca: add static:lib<name> provides and dependency tracking#2471smoser wants to merge 5 commits intochainguard-dev:mainfrom
smoser wants to merge 5 commits intochainguard-dev:mainfrom
Conversation
Scan .a files in standard library directories and emit static:lib<name> provides via SCA, mirroring how so: and pc: provides are generated. Also parse Libs.private fields from .pc files to discover static:lib<name> runtime dependencies. This generation is gated behind the MELANGE_GENERATE_STATIC_DEPS environment variable (accepted values: "true" or "false"); when disabled, candidate dependencies are only logged so the impact can be evaluated before enabling. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Previously the Libs.private deps were generated for whichever package contained the .pc file (typically -dev). Static deps need to land on the package that owns the .a file (-static) so that linking with -lfoo -static pulls in transitive static deps automatically. Search sibling packages for a matching <libname>.pc when a .a file is found, and derive static:lib<name> runtime dependencies from its Libs.private field there. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Test provides generation from .a files in standard and non-standard directories, runtime dep generation from sibling pkg-config Libs.private fields, the feature flag logging-only mode, and parseEnvBool. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Use strings.FieldsSeq (modernize) - Preallocate names slice in RelativeNames (prealloc) - Apply gofumpt formatting Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
py3-seaborn bundles libnpymath.a and libnpyrandom.a from numpy; the new static library SCA correctly identifies these as vendored static libs. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
xnox
requested changes
Apr 17, 2026
Member
There was a problem hiding this comment.
For make package/yara, does this produce what you expect?
I got this:
$ cat .PKGINFO
# Generated by melange
pkgname = yara-dev
pkgver = 4.5.5-r4
arch = x86_64
size = 1327707
origin = yara
pkgdesc = yara dev
url =
commit = 4a947e9ea1a780700c9a08b6bf3fd6f1b39564a4
maintainer = wolfi
builddate = 1776449776
license = BSD-3-Clause
depend = pc:libcrypto
depend = so:libyara.so.10
depend = yara
provides = pc:yara=4.5.5-r4
provides = static:libyara
datahash = 6189486c4c5d7d42897842cc3c72ec6031391da3a4457278f5c4726659eb8259
And the pc file is this https://apk.chaindag.dev/https/packages.wolfi.dev/os/x86_64/yara-dev-4.5.5-r4.apk@sha1:d9a54cb0de2b4589b0da207a183e1464c0c70036/usr/lib/pkgconfig/yara.pc
prefix=/usr
exec_prefix=${prefix}
includedir=${prefix}/include
libdir=/usr/lib
Name: yara
Description: YARA library
URL: https://virustotal.github.io/yara/
Version: 4.5.5
Requires.private: libcrypto
Cflags: -I${includedir}
Libs: -L${libdir} -lyara
Libs.private: -lm -lmagic
Should there be static dependency on magic?
Also not sure how you want to handle Requires.private - as that says that for static linking on needs what ever static linking flags are specified in libcrypto.pc as in like a dep on static:libcrypto.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Scan .a files in standard library directories and emit static:lib provides via SCA, mirroring how so: and pc: provides are generated.
Also parse Libs.private fields from .pc files to discover static:lib runtime dependencies. This generation is gated behind the MELANGE_GENERATE_STATIC_DEPS environment variable (accepted values: "true" or "false"); when disabled, candidate dependencies are only logged so the impact can be evaluated before enabling.