Add syft tool (#135)

Closes #131
2025-12-27 01:54:13 -05:00 · 2023-06-10 11:55:59 +02:00
parent 4df72e2d1e
commit 9ead2563c7
5 changed files with 90 additions and 12 deletions
--- a/.github/.cspell/project-dictionary.txt
+++ b/.github/.cspell/project-dictionary.txt
@@ -17,6 +17,7 @@ quickinstall
 rockylinux
 shellcheck
 shfmt
+syft
 udeps
 wasmtime
 watchexec
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -44,19 +44,19 @@ jobs:
        tool:
          # cargo-watch/watchexec-cli is supported by cargo-binstall (through quickinstall)
          # TODO: valgrind installation sometime hangs.
-          - cargo-hack,cargo-llvm-cov,cargo-minimal-versions,cargo-no-dev-deps,parse-changelog,cargo-udeps,cargo-valgrind,cargo-deny,cross,dprint,just,nextest,protoc,shellcheck,shfmt,wasm-pack,wasmtime,mdbook,mdbook-linkcheck,cargo-watch,grcov,watchexec-cli,cargo-tarpaulin,zola
+          - cargo-hack,cargo-llvm-cov,cargo-minimal-versions,cargo-no-dev-deps,parse-changelog,cargo-udeps,cargo-valgrind,cargo-deny,cross,dprint,just,nextest,protoc,shellcheck,shfmt,wasm-pack,wasmtime,mdbook,mdbook-linkcheck,cargo-watch,grcov,watchexec-cli,cargo-tarpaulin,zola,syft
        include:
          # Note: Specifying the version of valgrind and cargo-binstall is not supported.
          - os: ubuntu-20.04
-            tool: cargo-hack@0.5.24,cargo-llvm-cov@0.5.3,cargo-minimal-versions@0.1.8,cargo-no-dev-deps@0.1.0,parse-changelog@0.5.2,cargo-udeps@0.1.35,cargo-valgrind@2.1.0,cargo-deny@0.13.5,cross@0.2.4,dprint@0.34.1,just@1.9.0,nextest@0.9.11,protoc@3.21.12,shellcheck@0.9.0,shfmt@3.6.0,wasm-pack@0.10.3,wasmtime@4.0.0,mdbook@0.4.25,mdbook-linkcheck@0.7.7,cargo-watch@8.1.1,grcov@0.8.13,watchexec-cli@1.20.5,cargo-tarpaulin@0.25.0,zola@0.16.1
+            tool: cargo-hack@0.5.24,cargo-llvm-cov@0.5.3,cargo-minimal-versions@0.1.8,cargo-no-dev-deps@0.1.0,parse-changelog@0.5.2,cargo-udeps@0.1.35,cargo-valgrind@2.1.0,cargo-deny@0.13.5,cross@0.2.4,dprint@0.34.1,just@1.9.0,nextest@0.9.11,protoc@3.21.12,shellcheck@0.9.0,shfmt@3.6.0,wasm-pack@0.10.3,wasmtime@4.0.0,mdbook@0.4.25,mdbook-linkcheck@0.7.7,cargo-watch@8.1.1,grcov@0.8.13,watchexec-cli@1.20.5,cargo-tarpaulin@0.25.0,zola@0.16.1,syft@0.83.0
          - os: ubuntu-20.04
-            tool: cargo-hack@0.5,cargo-llvm-cov@0.5,cargo-minimal-versions@0.1,cargo-no-dev-deps@0.1,parse-changelog@0.5,cargo-udeps@0.1,cargo-valgrind@2.1,cargo-deny@0.13,cross@0.2,dprint@0.34,just@1.9,nextest@0.9,protoc@3.21,shellcheck@0.9,shfmt@3.5,wasm-pack@0.10,wasmtime@6.0,mdbook@0.4,mdbook-linkcheck@0.7,cargo-watch@8.1,grcov@0.8,watchexec-cli@1.20,cargo-tarpaulin@0.25,zola@0.16
+            tool: cargo-hack@0.5,cargo-llvm-cov@0.5,cargo-minimal-versions@0.1,cargo-no-dev-deps@0.1,parse-changelog@0.5,cargo-udeps@0.1,cargo-valgrind@2.1,cargo-deny@0.13,cross@0.2,dprint@0.34,just@1.9,nextest@0.9,protoc@3.21,shellcheck@0.9,shfmt@3.5,wasm-pack@0.10,wasmtime@6.0,mdbook@0.4,mdbook-linkcheck@0.7,cargo-watch@8.1,grcov@0.8,watchexec-cli@1.20,cargo-tarpaulin@0.25,zola@0.16,syft@0.83
          - os: ubuntu-20.04
            tool: cargo-valgrind@2, just@1,protoc@3 , shfmt@3 ,wasmtime@7,cargo-watch@8,watchexec-cli@1
          - os: macos-11
-            tool: cargo-hack,cargo-llvm-cov,cargo-minimal-versions,cargo-no-dev-deps,parse-changelog,cargo-udeps,cargo-valgrind,cargo-deny,cross,dprint,just,nextest,protoc,shellcheck,shfmt,wasm-pack,wasmtime,mdbook,mdbook-linkcheck,cargo-watch,grcov,watchexec-cli,cargo-tarpaulin,zola
+            tool: cargo-hack,cargo-llvm-cov,cargo-minimal-versions,cargo-no-dev-deps,parse-changelog,cargo-udeps,cargo-valgrind,cargo-deny,cross,dprint,just,nextest,protoc,shellcheck,shfmt,wasm-pack,wasmtime,mdbook,mdbook-linkcheck,cargo-watch,grcov,watchexec-cli,cargo-tarpaulin,zola,syft
          - os: windows-2019
-            tool: cargo-hack,cargo-llvm-cov,cargo-minimal-versions,cargo-no-dev-deps,parse-changelog,cargo-udeps,cargo-valgrind,cargo-deny,cross,dprint,just,nextest,protoc,shellcheck,shfmt,wasm-pack,wasmtime,mdbook,mdbook-linkcheck,cargo-watch,grcov,watchexec-cli,cargo-tarpaulin,zola
+            tool: cargo-hack,cargo-llvm-cov,cargo-minimal-versions,cargo-no-dev-deps,parse-changelog,cargo-udeps,cargo-valgrind,cargo-deny,cross,dprint,just,nextest,protoc,shellcheck,shfmt,wasm-pack,wasmtime,mdbook,mdbook-linkcheck,cargo-watch,grcov,watchexec-cli,cargo-tarpaulin,zola,syft
    runs-on: ${{ matrix.os }}
    timeout-minutes: 60
    steps:
@@ -104,25 +104,25 @@ jobs:
          - fedora:latest # glibc 2.36 (as of fedora 37)
        tool:
          # valgrind: installing snap to container is difficult...
-          - cargo-hack,cargo-llvm-cov,cargo-minimal-versions,cargo-no-dev-deps,parse-changelog,cargo-udeps,cargo-valgrind,cargo-deny,cross,dprint,just,nextest,protoc,shellcheck,shfmt,wasm-pack,wasmtime,mdbook,mdbook-linkcheck,cargo-watch,grcov,watchexec-cli,cargo-tarpaulin,zola
+          - cargo-hack,cargo-llvm-cov,cargo-minimal-versions,cargo-no-dev-deps,parse-changelog,cargo-udeps,cargo-valgrind,cargo-deny,cross,dprint,just,nextest,protoc,shellcheck,shfmt,wasm-pack,wasmtime,mdbook,mdbook-linkcheck,cargo-watch,grcov,watchexec-cli,cargo-tarpaulin,zola,syft
        include:
          # glibc < 2.31
          # zola don't provide prebuilt binaries for musl or old glibc host.
          - container: ubuntu:18.04 # glibc 2.27
-            tool: cargo-hack,cargo-llvm-cov,cargo-minimal-versions,cargo-no-dev-deps,parse-changelog,cargo-udeps,cargo-valgrind,cargo-deny,cross,dprint,just,nextest,protoc,shellcheck,shfmt,wasm-pack,wasmtime,mdbook,mdbook-linkcheck,cargo-watch,grcov,watchexec-cli,cargo-tarpaulin
+            tool: cargo-hack,cargo-llvm-cov,cargo-minimal-versions,cargo-no-dev-deps,parse-changelog,cargo-udeps,cargo-valgrind,cargo-deny,cross,dprint,just,nextest,protoc,shellcheck,shfmt,wasm-pack,wasmtime,mdbook,mdbook-linkcheck,cargo-watch,grcov,watchexec-cli,cargo-tarpaulin,syft
          - container: debian:10-slim # glibc 2.28
-            tool: cargo-hack,cargo-llvm-cov,cargo-minimal-versions,cargo-no-dev-deps,parse-changelog,cargo-udeps,cargo-valgrind,cargo-deny,cross,dprint,just,nextest,protoc,shellcheck,shfmt,wasm-pack,wasmtime,mdbook,mdbook-linkcheck,cargo-watch,grcov,watchexec-cli,cargo-tarpaulin
+            tool: cargo-hack,cargo-llvm-cov,cargo-minimal-versions,cargo-no-dev-deps,parse-changelog,cargo-udeps,cargo-valgrind,cargo-deny,cross,dprint,just,nextest,protoc,shellcheck,shfmt,wasm-pack,wasmtime,mdbook,mdbook-linkcheck,cargo-watch,grcov,watchexec-cli,cargo-tarpaulin,syft
          - container: rockylinux:8 # glibc 2.28
-            tool: cargo-hack,cargo-llvm-cov,cargo-minimal-versions,cargo-no-dev-deps,parse-changelog,cargo-udeps,cargo-valgrind,cargo-deny,cross,dprint,just,nextest,protoc,shellcheck,shfmt,wasm-pack,wasmtime,mdbook,mdbook-linkcheck,cargo-watch,grcov,watchexec-cli,cargo-tarpaulin
+            tool: cargo-hack,cargo-llvm-cov,cargo-minimal-versions,cargo-no-dev-deps,parse-changelog,cargo-udeps,cargo-valgrind,cargo-deny,cross,dprint,just,nextest,protoc,shellcheck,shfmt,wasm-pack,wasmtime,mdbook,mdbook-linkcheck,cargo-watch,grcov,watchexec-cli,cargo-tarpaulin,syft
          - container: rockylinux:8-minimal # glibc 2.28
-            tool: cargo-hack,cargo-llvm-cov,cargo-minimal-versions,cargo-no-dev-deps,parse-changelog,cargo-udeps,cargo-valgrind,cargo-deny,cross,dprint,just,nextest,protoc,shellcheck,shfmt,wasm-pack,wasmtime,mdbook,mdbook-linkcheck,cargo-watch,grcov,watchexec-cli,cargo-tarpaulin
+            tool: cargo-hack,cargo-llvm-cov,cargo-minimal-versions,cargo-no-dev-deps,parse-changelog,cargo-udeps,cargo-valgrind,cargo-deny,cross,dprint,just,nextest,protoc,shellcheck,shfmt,wasm-pack,wasmtime,mdbook,mdbook-linkcheck,cargo-watch,grcov,watchexec-cli,cargo-tarpaulin,syft
          # glibc < 2.27 or musl
          - container: centos:7 # glibc 2.17
            # protoc,valgrind,wasmtime,mdbook-linkcheck,cargo-watch,zola don't provide prebuilt binaries for musl or old glibc host.
-            tool: cargo-hack,cargo-llvm-cov,cargo-minimal-versions,cargo-no-dev-deps,parse-changelog,cargo-udeps,cargo-valgrind,cargo-deny,cross,dprint,just,nextest,shellcheck,shfmt,wasm-pack,mdbook,cargo-binstall,grcov,watchexec-cli,cargo-tarpaulin
+            tool: cargo-hack,cargo-llvm-cov,cargo-minimal-versions,cargo-no-dev-deps,parse-changelog,cargo-udeps,cargo-valgrind,cargo-deny,cross,dprint,just,nextest,shellcheck,shfmt,wasm-pack,mdbook,cargo-binstall,grcov,watchexec-cli,cargo-tarpaulin,syft
          - container: alpine:latest # musl 1.2.3 (as of alpine 3.17)
            # protoc,valgrind,wasmtime,mdbook-linkcheck,cargo-watch,zola don't provide prebuilt binaries for musl host.
-            tool: cargo-hack,cargo-llvm-cov,cargo-minimal-versions,cargo-no-dev-deps,parse-changelog,cargo-udeps,cargo-valgrind,cargo-deny,cross,dprint,just,nextest,shellcheck,shfmt,wasm-pack,mdbook,cargo-binstall,grcov,watchexec-cli,cargo-tarpaulin
+            tool: cargo-hack,cargo-llvm-cov,cargo-minimal-versions,cargo-no-dev-deps,parse-changelog,cargo-udeps,cargo-valgrind,cargo-deny,cross,dprint,just,nextest,shellcheck,shfmt,wasm-pack,mdbook,cargo-binstall,grcov,watchexec-cli,cargo-tarpaulin,syft
    runs-on: ubuntu-latest
    timeout-minutes: 60
    container: ${{ matrix.container }}
--- a/README.md
+++ b/README.md
@@ -105,6 +105,7 @@ https://spdx.org/licenses
 | [**wasm-pack**](https://github.com/rustwasm/wasm-pack) | `$CARGO_HOME/bin` | [GitHub Releases](https://github.com/rustwasm/wasm-pack/releases) | Linux, macOS, Windows | [Apache-2.0](https://github.com/rustwasm/wasm-pack/blob/HEAD/LICENSE-APACHE) OR [MIT](https://github.com/rustwasm/wasm-pack/blob/HEAD/LICENSE-MIT) |
 | [**wasmtime**](https://github.com/bytecodealliance/wasmtime) | `$CARGO_HOME/bin` | [GitHub Releases](https://github.com/bytecodealliance/wasmtime/releases) | Linux, macOS, Windows | [Apache-2.0 WITH LLVM-exception](https://github.com/bytecodealliance/wasmtime/blob/HEAD/LICENSE) |
 | [**zola**](https://github.com/getzola/zola) | `$CARGO_HOME/bin` | [GitHub Releases](https://github.com/getzola/zola/releases) | Linux, macOS, Windows | [MIT](https://github.com/getzola/zola/blob/HEAD/LICENSE) |
+| [**syft**](https://github.com/anchore/syft) | `/usr/local/bin` | [Github Releases](https://github.com/anchore/syft/releases) | Linux, macOS, Windows | [Apache-2.0](https://github.com/anchore/syft/blob/main/LICENSE) |

 If `$CARGO_HOME/bin` is not available, Rust-related binaries will be installed to `$HOME/.cargo/bin`.<br>
 If `$HOME/.cargo/bin` is not available, Rust-related binaries will be installed to `/usr/local/bin`.<br>
--- a/manifests/syft.json
+++ b/manifests/syft.json
@@ -0,0 +1,52 @@
+{
+  "template": {
+    "x86_64_linux_musl": {
+      "url": "https://github.com/anchore/syft/releases/download/v${version}/syft_${version}_linux_amd64.tar.gz",
+      "bin_dir": "/usr/local/bin",
+      "bin": "syft"
+    },
+    "x86_64_macos": {
+      "url": "https://github.com/anchore/syft/releases/download/v${version}/syft_${version}_darwin_amd64.tar.gz",
+      "bin_dir": "/usr/local/bin",
+      "bin": "syft"
+    },
+    "x86_64_windows": {
+      "url": "https://github.com/anchore/syft/releases/download/v${version}/syft_${version}_windows_amd64.zip",
+      "bin_dir": "/usr/local/bin",
+      "bin": "syft.exe"
+    },
+    "aarch64_linux_musl": {
+      "url": "https://github.com/anchore/syft/releases/download/v${version}/syft_${version}_linux_arm64.tar.gz",
+      "bin_dir": "/usr/local/bin",
+      "bin": "syft"
+    },
+    "aarch64_macos": {
+      "url": "https://github.com/anchore/syft/releases/download/v${version}/syft_${version}_darwin_arm64.tar.gz",
+      "bin_dir": "/usr/local/bin",
+      "bin": "syft"
+    }
+  },
+  "latest": {
+    "version": "0.83.0"
+  },
+  "0.83": {
+    "version": "0.83.0"
+  },
+  "0.83.0": {
+    "x86_64_linux_musl": {
+      "checksum": "694e97a454327403fb440544c41fefd83d37f88f43c4f9ae0b0d67a3562bd25c"
+    },
+    "x86_64_macos": {
+      "checksum": "211f34f2e52e842d3248bc3a72c07e534d0d7a8e40babaa7a2034a41a077b70e"
+    },
+    "x86_64_windows": {
+      "checksum": "9131f458fdbbc88fe1bd8df666721ecb95ff751d0ca3e2cffecfd5e021c65e97"
+    },
+    "aarch64_linux_musl": {
+      "checksum": "388fbea52598e44f8529e3432555c53e6e161211a83020d2b749c5d160baf593"
+    },
+    "aarch64_macos": {
+      "checksum": "4b93cf316aa30bddb53d2dcd82f4c9d0353b337677cbdf8a470749f9e98eec82"
+    }
+  }
+}
--- a/tools/codegen/base/syft.json
+++ b/tools/codegen/base/syft.json
@@ -0,0 +1,24 @@
+{
+  "repository": "https://github.com/anchore/syft",
+  "tag_prefix": "v",
+  "bin_dir": "/usr/local/bin",
+  "bin": "${package}${exe}",
+  "version_range": ">= 0.83.0",
+  "platform": {
+    "x86_64_macos": {
+      "asset_name": "${package}_${version}_darwin_amd64.tar.gz"
+    },
+    "aarch64_macos": {
+      "asset_name": "${package}_${version}_darwin_arm64.tar.gz"
+    },
+    "x86_64_windows": {
+      "asset_name": "${package}_${version}_windows_amd64.zip"
+    },
+    "x86_64_linux_musl": {
+      "asset_name": "${package}_${version}_linux_amd64.tar.gz"
+    },
+    "aarch64_linux_musl": {
+      "asset_name": "${package}_${version}_linux_arm64.tar.gz"
+    }
+  }
+}