From b8323aac35bf766c5f655b207d04c7b807812c50 Mon Sep 17 00:00:00 2001 From: Stefan Majewsky Date: Wed, 20 Mar 2024 15:10:14 +0100 Subject: [PATCH] revert trivy 0.49.1 -> 0.50.0 upgrade We have to downgrade our trivy-server because of , so I'm downgrading here, too, to keep the versions matching. --- go.mod | 5 +- go.sum | 32 +- .../anchore/go-struct-converter/.bouncer.yaml | 10 + .../anchore/go-struct-converter/.gitignore | 30 + .../go-struct-converter/.golangci.yaml | 78 +++ .../go-struct-converter/CONTRIBUTING.md | 86 +++ .../anchore/go-struct-converter/LICENSE | 201 +++++++ .../anchore/go-struct-converter/Makefile | 81 +++ .../anchore/go-struct-converter/README.md | 166 ++++++ .../anchore/go-struct-converter/chain.go | 95 +++ .../anchore/go-struct-converter/converter.go | 334 +++++++++++ .../trivy/pkg/fanal/types/artifact.go | 3 +- .../trivy/pkg/fanal/types/const.go | 27 +- .../trivy/pkg/fanal/types/image.go | 2 +- .../trivy/pkg/fanal/types/sbom.go | 36 ++ .../aquasecurity/trivy/pkg/sbom/core/bom.go | 321 ---------- .../aquasecurity/trivy/pkg/types/finding.go | 47 -- .../aquasecurity/trivy/pkg/types/license.go | 2 - .../trivy/pkg/types/misconfiguration.go | 17 +- .../aquasecurity/trivy/pkg/types/report.go | 16 +- .../aquasecurity/trivy/pkg/types/sbom.go | 19 +- .../aquasecurity/trivy/pkg/types/secret.go | 9 - .../trivy/pkg/types/vulnerability.go | 5 +- .../aquasecurity/trivy/pkg/uuid/uuid.go | 36 -- .../trivy/pkg/uuid/uuid_tinygo.go | 13 - vendor/github.com/google/uuid/CHANGELOG.md | 41 -- vendor/github.com/google/uuid/CONTRIBUTING.md | 26 - vendor/github.com/google/uuid/CONTRIBUTORS | 9 - vendor/github.com/google/uuid/LICENSE | 27 - vendor/github.com/google/uuid/README.md | 21 - vendor/github.com/google/uuid/dce.go | 80 --- vendor/github.com/google/uuid/doc.go | 12 - vendor/github.com/google/uuid/hash.go | 59 -- vendor/github.com/google/uuid/marshal.go | 38 -- vendor/github.com/google/uuid/node.go | 90 --- vendor/github.com/google/uuid/node_js.go | 12 - vendor/github.com/google/uuid/node_net.go | 33 -- vendor/github.com/google/uuid/null.go | 118 ---- vendor/github.com/google/uuid/sql.go | 59 -- vendor/github.com/google/uuid/time.go | 134 ----- vendor/github.com/google/uuid/util.go | 43 -- vendor/github.com/google/uuid/uuid.go | 365 ------------ vendor/github.com/google/uuid/version1.go | 44 -- vendor/github.com/google/uuid/version4.go | 76 --- vendor/github.com/google/uuid/version6.go | 56 -- vendor/github.com/google/uuid/version7.go | 104 ---- .../github.com/spdx/tools-golang/LICENSE.code | 550 ++++++++++++++++++ .../github.com/spdx/tools-golang/LICENSE.docs | 399 +++++++++++++ .../spdx/tools-golang/json/marshal/json.go | 15 + .../spdx/tools-golang/spdx/model.go | 133 +++++ .../tools-golang/spdx/v2/common/annotation.go | 45 ++ .../tools-golang/spdx/v2/common/checksum.go | 34 ++ .../spdx/v2/common/creation_info.go | 45 ++ .../tools-golang/spdx/v2/common/external.go | 74 +++ .../tools-golang/spdx/v2/common/identifier.go | 174 ++++++ .../tools-golang/spdx/v2/common/package.go | 104 ++++ .../tools-golang/spdx/v2/common/snippet.go | 20 + .../tools-golang/spdx/v2/v2_3/annotation.go | 31 + .../spdx/v2/v2_3/creation_info.go | 27 + .../tools-golang/spdx/v2/v2_3/document.go | 166 ++++++ .../spdx/tools-golang/spdx/v2/v2_3/file.go | 98 ++++ .../spdx/v2/v2_3/other_license.go | 30 + .../spdx/tools-golang/spdx/v2/v2_3/package.go | 222 +++++++ .../tools-golang/spdx/v2/v2_3/relationship.go | 24 + .../spdx/tools-golang/spdx/v2/v2_3/review.go | 25 + .../spdx/tools-golang/spdx/v2/v2_3/snippet.go | 50 ++ vendor/modules.txt | 16 +- 67 files changed, 3455 insertions(+), 1945 deletions(-) create mode 100644 vendor/github.com/anchore/go-struct-converter/.bouncer.yaml create mode 100644 vendor/github.com/anchore/go-struct-converter/.gitignore create mode 100644 vendor/github.com/anchore/go-struct-converter/.golangci.yaml create mode 100644 vendor/github.com/anchore/go-struct-converter/CONTRIBUTING.md create mode 100644 vendor/github.com/anchore/go-struct-converter/LICENSE create mode 100644 vendor/github.com/anchore/go-struct-converter/Makefile create mode 100644 vendor/github.com/anchore/go-struct-converter/README.md create mode 100644 vendor/github.com/anchore/go-struct-converter/chain.go create mode 100644 vendor/github.com/anchore/go-struct-converter/converter.go create mode 100644 vendor/github.com/aquasecurity/trivy/pkg/fanal/types/sbom.go delete mode 100644 vendor/github.com/aquasecurity/trivy/pkg/sbom/core/bom.go delete mode 100644 vendor/github.com/aquasecurity/trivy/pkg/types/finding.go delete mode 100644 vendor/github.com/aquasecurity/trivy/pkg/types/secret.go delete mode 100644 vendor/github.com/aquasecurity/trivy/pkg/uuid/uuid.go delete mode 100644 vendor/github.com/aquasecurity/trivy/pkg/uuid/uuid_tinygo.go delete mode 100644 vendor/github.com/google/uuid/CHANGELOG.md delete mode 100644 vendor/github.com/google/uuid/CONTRIBUTING.md delete mode 100644 vendor/github.com/google/uuid/CONTRIBUTORS delete mode 100644 vendor/github.com/google/uuid/LICENSE delete mode 100644 vendor/github.com/google/uuid/README.md delete mode 100644 vendor/github.com/google/uuid/dce.go delete mode 100644 vendor/github.com/google/uuid/doc.go delete mode 100644 vendor/github.com/google/uuid/hash.go delete mode 100644 vendor/github.com/google/uuid/marshal.go delete mode 100644 vendor/github.com/google/uuid/node.go delete mode 100644 vendor/github.com/google/uuid/node_js.go delete mode 100644 vendor/github.com/google/uuid/node_net.go delete mode 100644 vendor/github.com/google/uuid/null.go delete mode 100644 vendor/github.com/google/uuid/sql.go delete mode 100644 vendor/github.com/google/uuid/time.go delete mode 100644 vendor/github.com/google/uuid/util.go delete mode 100644 vendor/github.com/google/uuid/uuid.go delete mode 100644 vendor/github.com/google/uuid/version1.go delete mode 100644 vendor/github.com/google/uuid/version4.go delete mode 100644 vendor/github.com/google/uuid/version6.go delete mode 100644 vendor/github.com/google/uuid/version7.go create mode 100644 vendor/github.com/spdx/tools-golang/LICENSE.code create mode 100644 vendor/github.com/spdx/tools-golang/LICENSE.docs create mode 100644 vendor/github.com/spdx/tools-golang/json/marshal/json.go create mode 100644 vendor/github.com/spdx/tools-golang/spdx/model.go create mode 100644 vendor/github.com/spdx/tools-golang/spdx/v2/common/annotation.go create mode 100644 vendor/github.com/spdx/tools-golang/spdx/v2/common/checksum.go create mode 100644 vendor/github.com/spdx/tools-golang/spdx/v2/common/creation_info.go create mode 100644 vendor/github.com/spdx/tools-golang/spdx/v2/common/external.go create mode 100644 vendor/github.com/spdx/tools-golang/spdx/v2/common/identifier.go create mode 100644 vendor/github.com/spdx/tools-golang/spdx/v2/common/package.go create mode 100644 vendor/github.com/spdx/tools-golang/spdx/v2/common/snippet.go create mode 100644 vendor/github.com/spdx/tools-golang/spdx/v2/v2_3/annotation.go create mode 100644 vendor/github.com/spdx/tools-golang/spdx/v2/v2_3/creation_info.go create mode 100644 vendor/github.com/spdx/tools-golang/spdx/v2/v2_3/document.go create mode 100644 vendor/github.com/spdx/tools-golang/spdx/v2/v2_3/file.go create mode 100644 vendor/github.com/spdx/tools-golang/spdx/v2/v2_3/other_license.go create mode 100644 vendor/github.com/spdx/tools-golang/spdx/v2/v2_3/package.go create mode 100644 vendor/github.com/spdx/tools-golang/spdx/v2/v2_3/relationship.go create mode 100644 vendor/github.com/spdx/tools-golang/spdx/v2/v2_3/review.go create mode 100644 vendor/github.com/spdx/tools-golang/spdx/v2/v2_3/snippet.go diff --git a/go.mod b/go.mod index 690668a80..307a726a5 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,7 @@ go 1.22 require ( github.com/alicebob/miniredis/v2 v2.32.1 - github.com/aquasecurity/trivy v0.50.0 + github.com/aquasecurity/trivy v0.49.1 github.com/databus23/goslo.policy v0.0.0-20210929125152-81bf2876dbdb github.com/dlmiddlecote/sqlstats v1.0.2 github.com/docker/distribution v2.8.3+incompatible @@ -32,6 +32,7 @@ require ( require ( github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a // indirect + github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 // indirect github.com/aquasecurity/trivy-db v0.0.0-20231005141211-4fc651f7ac8d // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/cespare/xxhash/v2 v2.2.0 // indirect @@ -39,7 +40,6 @@ require ( github.com/distribution/reference v0.5.0 // indirect github.com/golang-migrate/migrate/v4 v4.17.0 // indirect github.com/google/go-containerregistry v0.19.0 // indirect - github.com/google/uuid v1.6.0 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/go-multierror v1.1.1 // indirect github.com/hashicorp/go-uuid v1.0.3 // indirect @@ -55,6 +55,7 @@ require ( github.com/rabbitmq/amqp091-go v1.9.0 // indirect github.com/samber/lo v1.39.0 // indirect github.com/sergi/go-diff v1.3.1 // indirect + github.com/spdx/tools-golang v0.5.4-0.20231108154018-0c0f394b5e1a // indirect github.com/spf13/pflag v1.0.5 // indirect github.com/yuin/gopher-lua v1.1.1 // indirect go.uber.org/atomic v1.11.0 // indirect diff --git a/go.sum b/go.sum index fe5cab690..2bc8bc90d 100644 --- a/go.sum +++ b/go.sum @@ -10,8 +10,10 @@ github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a h1:HbKu58rmZp github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a/go.mod h1:SGnFV6hVsYE877CKEZ6tDNTjaSXYUk6QqoIK6PrAtcc= github.com/alicebob/miniredis/v2 v2.32.1 h1:Bz7CciDnYSaa0mX5xODh6GUITRSx+cVhjNoOR4JssBo= github.com/alicebob/miniredis/v2 v2.32.1/go.mod h1:AqkLNAfUm0K07J28hnAyyQKf/x0YkCY/g5DCtuL01Mw= -github.com/aquasecurity/trivy v0.50.0 h1:jgKdbb/OWKQ6iNg+zf4riBiY8Eiw30yQswSGDVHoe2Q= -github.com/aquasecurity/trivy v0.50.0/go.mod h1:xUjevrGdSu4g9+qUQDHDnlG0EowzIcPQ5CcSLwd6B1Y= +github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 h1:aM1rlcoLz8y5B2r4tTLMiVTrMtpfY0O8EScKJxaSaEc= +github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092/go.mod h1:rYqSE9HbjzpHTI74vwPvae4ZVYZd1lue2ta6xHPdblA= +github.com/aquasecurity/trivy v0.49.1 h1:JiwITykmxMgxNY4NZqxUgMxe0vWwDa4e5Glg46plqQI= +github.com/aquasecurity/trivy v0.49.1/go.mod h1:e+AhmSIbE1g8Di5Io5UBLk/seForwoNbp7543h/DCHo= github.com/aquasecurity/trivy-db v0.0.0-20231005141211-4fc651f7ac8d h1:fjI9mkoTUAkbGqpzt9nJsO24RAdfG+ZSiLFj0G2jO8c= github.com/aquasecurity/trivy-db v0.0.0-20231005141211-4fc651f7ac8d/go.mod h1:cj9/QmD9N3OZnKQMp+/DvdV+ym3HyIkd4e+F0ZM3ZGs= github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= @@ -45,8 +47,8 @@ github.com/dlmiddlecote/sqlstats v1.0.2 h1:gSU11YN23D/iY50A2zVYwgXgy072khatTsIW6 github.com/dlmiddlecote/sqlstats v1.0.2/go.mod h1:0CWaIh/Th+z2aI6Q9Jpfg/o21zmGxWhbByHgQSCUQvY= github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= -github.com/docker/docker v25.0.3+incompatible h1:D5fy/lYmY7bvZa0XTZ5/UJPljor41F+vdyJG5luQLfQ= -github.com/docker/docker v25.0.3+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v25.0.1+incompatible h1:k5TYd5rIVQRSqcTwCID+cyVA0yRg86+Pcrz1ls0/frA= +github.com/docker/docker v25.0.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c= github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc= github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4= @@ -86,8 +88,6 @@ github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeN github.com/google/go-containerregistry v0.19.0 h1:uIsMRBV7m/HDkDxE/nXMnv1q+lOOSPlQ/ywc5JbB8Ic= github.com/google/go-containerregistry v0.19.0/go.mod h1:u0qB2l7mvtWVR5kNcbFIhFY1hLbf8eeGapA+vbFDCtQ= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= -github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/gophercloud/gophercloud v1.3.0/go.mod h1:aAVqcocTSXh2vYFZ1JTvx4EQmfgzxRcNupUfxZbBNDM= github.com/gophercloud/gophercloud v1.11.0 h1:ls0O747DIq1D8SUHc7r2vI8BFbMLeLFuENaAIfEx7OM= github.com/gophercloud/gophercloud v1.11.0/go.mod h1:aAVqcocTSXh2vYFZ1JTvx4EQmfgzxRcNupUfxZbBNDM= @@ -193,6 +193,9 @@ github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8= github.com/sergi/go-diff v1.3.1/go.mod h1:aMJSSKb2lpPvRNec0+w3fl7LP9IOFzdc9Pa4NFbPK1I= github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= +github.com/spdx/gordf v0.0.0-20201111095634-7098f93598fb/go.mod h1:uKWaldnbMnjsSAXRurWqqrdyZen1R7kxl8TkmWk2OyM= +github.com/spdx/tools-golang v0.5.4-0.20231108154018-0c0f394b5e1a h1:uuREJ3I15VLjYZuhxjTQnA2bTqzRQX1HKEphYBzqT9o= +github.com/spdx/tools-golang v0.5.4-0.20231108154018-0c0f394b5e1a/go.mod h1:BHs8QEhK6MbFGdyjxvuBtzJtCLrN5bwUBC9fzQlYBXs= github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0= github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= @@ -200,6 +203,7 @@ github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= +github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= @@ -214,18 +218,19 @@ github.com/yuin/gopher-lua v1.1.1 h1:kYKnWBjvbNP4XLT3+bPEwAXJx262OhaHDWDVOPjL46M github.com/yuin/gopher-lua v1.1.1/go.mod h1:GBR0iDaNXjAgGg9zfCvksxSRnQx76gclCIb7kdAd1Pw= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1 h1:aFJWCqJMNjENlcleuuOkGAPH82y0yULBScfXcIEdS24= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1/go.mod h1:sEGXWArGqc3tVa+ekntsN65DmVbVeW+7lTKTjZF3/Fo= -go.opentelemetry.io/otel v1.23.1 h1:Za4UzOqJYS+MUczKI320AtqZHZb7EqxO00jAHE0jmQY= -go.opentelemetry.io/otel v1.23.1/go.mod h1:Td0134eafDLcTS4y+zQ26GE8u3dEuRBiBCTUIRHaikA= -go.opentelemetry.io/otel/metric v1.23.1 h1:PQJmqJ9u2QaJLBOELl1cxIdPcpbwzbkjfEyelTl2rlo= -go.opentelemetry.io/otel/metric v1.23.1/go.mod h1:mpG2QPlAfnK8yNhNJAxDZruU9Y1/HubbC+KyH8FaCWI= -go.opentelemetry.io/otel/trace v1.23.1 h1:4LrmmEd8AU2rFvU1zegmvqW7+kWarxtNOPyeL6HmYY8= -go.opentelemetry.io/otel/trace v1.23.1/go.mod h1:4IpnpJFwr1mo/6HL8XIPJaE9y0+u1KcVmuW7dwFSVrI= +go.opentelemetry.io/otel v1.21.0 h1:hzLeKBZEL7Okw2mGzZ0cc4k/A7Fta0uoPgaJCr8fsFc= +go.opentelemetry.io/otel v1.21.0/go.mod h1:QZzNPQPm1zLX4gZK4cMi+71eaorMSGT3A4znnUvNNEo= +go.opentelemetry.io/otel/metric v1.21.0 h1:tlYWfeo+Bocx5kLEloTjbcDwBuELRrIFxwdQ36PlJu4= +go.opentelemetry.io/otel/metric v1.21.0/go.mod h1:o1p3CA8nNHW8j5yuQLdc1eeqEaPfzug24uvsyIEJRWM= +go.opentelemetry.io/otel/trace v1.21.0 h1:WD9i5gzvoUPuXIXH24ZNBudiarZDKuekPqi/E8fpfLc= +go.opentelemetry.io/otel/trace v1.21.0/go.mod h1:LGbsEB0f9LGjN+OZaQQ26sohbOmiMR+BaslueVtS/qQ= go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE= go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0= go.uber.org/automaxprocs v1.5.3 h1:kWazyxZUrS3Gs4qUpbwo5kEIMGe/DAvi5Z4tl2NW4j8= go.uber.org/automaxprocs v1.5.3/go.mod h1:eRbA25aqJrxAbsLO0xy5jVwPt7FQnRgjW+efnwa1WM0= -go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A= go.uber.org/goleak v1.2.1/go.mod h1:qlT2yGI9QafXHhZZLxlSuNsMw3FFLxBr+tBRlmO1xH4= +go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= +go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= @@ -294,3 +299,4 @@ gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8= diff --git a/vendor/github.com/anchore/go-struct-converter/.bouncer.yaml b/vendor/github.com/anchore/go-struct-converter/.bouncer.yaml new file mode 100644 index 000000000..db50b4d30 --- /dev/null +++ b/vendor/github.com/anchore/go-struct-converter/.bouncer.yaml @@ -0,0 +1,10 @@ +permit: + - BSD.* + - CC0.* + - MIT.* + - Apache.* + - MPL.* + - ISC + - WTFPL + +ignore-packages: diff --git a/vendor/github.com/anchore/go-struct-converter/.gitignore b/vendor/github.com/anchore/go-struct-converter/.gitignore new file mode 100644 index 000000000..1edd832da --- /dev/null +++ b/vendor/github.com/anchore/go-struct-converter/.gitignore @@ -0,0 +1,30 @@ +# If you prefer the allow list template instead of the deny list, see community template: +# https://github.com/github/gitignore/blob/main/community/Golang/Go.AllowList.gitignore +# +# Binaries for programs and plugins +*.exe +*.exe~ +*.dll +*.so +*.dylib + +# Test binary, built with `go test -c` +*.test + +# Output of the go coverage tool, specifically when used with LiteIDE +*.out + +# Dependency directories (remove the comment below to include it) +# vendor/ + +# Go workspace file +go.work + +# tools +.tmp + +# test output +test/results + +# IDE project files +.idea diff --git a/vendor/github.com/anchore/go-struct-converter/.golangci.yaml b/vendor/github.com/anchore/go-struct-converter/.golangci.yaml new file mode 100644 index 000000000..fdb37721d --- /dev/null +++ b/vendor/github.com/anchore/go-struct-converter/.golangci.yaml @@ -0,0 +1,78 @@ +#issues: +# # The list of ids of default excludes to include or disable. +# include: +# - EXC0002 # disable excluding of issues about comments from golint + +linters: + # inverted configuration with `enable-all` and `disable` is not scalable during updates of golangci-lint + disable-all: true + enable: + - asciicheck + - bodyclose + - depguard + - dogsled + - dupl + - errcheck + - exportloopref + - funlen + - gocognit + - goconst + - gocritic + - gocyclo + - gofmt + - goprintffuncname + - gosec + - gosimple + - govet + - ineffassign + - misspell + - nakedret + - nolintlint + - revive + - staticcheck + - stylecheck + - typecheck + - unconvert + - unparam + - unused + - whitespace + +# do not enable... +# - gochecknoglobals +# - gochecknoinits # this is too aggressive +# - rowserrcheck disabled per generics https://github.com/golangci/golangci-lint/issues/2649 +# - godot +# - godox +# - goerr113 +# - goimports # we're using gosimports now instead to account for extra whitespaces (see https://github.com/golang/go/issues/20818) +# - golint # deprecated +# - gomnd # this is too aggressive +# - interfacer # this is a good idea, but is no longer supported and is prone to false positives +# - lll # without a way to specify per-line exception cases, this is not usable +# - maligned # this is an excellent linter, but tricky to optimize and we are not sensitive to memory layout optimizations +# - nestif +# - prealloc # following this rule isn't consistently a good idea, as it sometimes forces unnecessary allocations that result in less idiomatic code +# - scopelint # deprecated +# - testpackage +# - wsl # this doens't have an auto-fixer yet and is pretty noisy (https://github.com/bombsimon/wsl/issues/90) + +linters-settings: + funlen: + # Checks the number of lines in a function. + # If lower than 0, disable the check. + # Default: 60 + lines: 140 + # Checks the number of statements in a function. + # If lower than 0, disable the check. + # Default: 40 + statements: 100 + + gocognit: + # Minimal code complexity to report + # Default: 30 (but we recommend 10-20) + min-complexity: 80 + + gocyclo: + # Minimal code complexity to report. + # Default: 30 (but we recommend 10-20) + min-complexity: 50 diff --git a/vendor/github.com/anchore/go-struct-converter/CONTRIBUTING.md b/vendor/github.com/anchore/go-struct-converter/CONTRIBUTING.md new file mode 100644 index 000000000..9ff2670b2 --- /dev/null +++ b/vendor/github.com/anchore/go-struct-converter/CONTRIBUTING.md @@ -0,0 +1,86 @@ +# Contributing to go-struct-converter + +If you are looking to contribute to this project and want to open a GitHub pull request ("PR"), there are a few guidelines of what we are looking for in patches. Make sure you go through this document and ensure that your code proposal is aligned. + +## Sign off your work + +The `sign-off` is an added line at the end of the explanation for the commit, certifying that you wrote it or otherwise have the right to submit it as an open-source patch. By submitting a contribution, you agree to be bound by the terms of the DCO Version 1.1 and Apache License Version 2.0. + +Signing off a commit certifies the below Developer's Certificate of Origin (DCO): + +```text +Developer's Certificate of Origin 1.1 + +By making a contribution to this project, I certify that: + + (a) The contribution was created in whole or in part by me and I + have the right to submit it under the open source license + indicated in the file; or + + (b) The contribution is based upon previous work that, to the best + of my knowledge, is covered under an appropriate open source + license and I have the right under that license to submit that + work with modifications, whether created in whole or in part + by me, under the same open source license (unless I am + permitted to submit under a different license), as indicated + in the file; or + + (c) The contribution was provided directly to me by some other + person who certified (a), (b) or (c) and I have not modified + it. + + (d) I understand and agree that this project and the contribution + are public and that a record of the contribution (including all + personal information I submit with it, including my sign-off) is + maintained indefinitely and may be redistributed consistent with + this project or the open source license(s) involved. +``` + +All contributions to this project are licensed under the [Apache License Version 2.0, January 2004](http://www.apache.org/licenses/). + +When committing your change, you can add the required line manually so that it looks like this: + +```text +Signed-off-by: John Doe +``` + +Alternatively, configure your Git client with your name and email to use the `-s` flag when creating a commit: + +```text +$ git config --global user.name "John Doe" +$ git config --global user.email "john.doe@example.com" +``` + +Creating a signed-off commit is then possible with `-s` or `--signoff`: + +```text +$ git commit -s -m "this is a commit message" +``` + +To double-check that the commit was signed-off, look at the log output: + +```text +$ git log -1 +commit 37ceh170e4hb283bb73d958f2036ee5k07e7fde7 (HEAD -> issue-35, origin/main, main) +Author: John Doe +Date: Mon Aug 1 11:27:13 2020 -0400 + + this is a commit message + + Signed-off-by: John Doe +``` + +[//]: # "TODO: Commit guidelines, granular commits" +[//]: # "TODO: Commit guidelines, descriptive messages" +[//]: # "TODO: Commit guidelines, commit title, extra body description" +[//]: # "TODO: PR title and description" + +## Test your changes + +Ensure that your changes have passed the test suite. + +Simply run `make test` to have all tests run and validate changes work properly. + +## Document your changes + +When proposed changes are modifying user-facing functionality or output, it is expected the PR will include updates to the documentation as well. diff --git a/vendor/github.com/anchore/go-struct-converter/LICENSE b/vendor/github.com/anchore/go-struct-converter/LICENSE new file mode 100644 index 000000000..261eeb9e9 --- /dev/null +++ b/vendor/github.com/anchore/go-struct-converter/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/vendor/github.com/anchore/go-struct-converter/Makefile b/vendor/github.com/anchore/go-struct-converter/Makefile new file mode 100644 index 000000000..f5412aef5 --- /dev/null +++ b/vendor/github.com/anchore/go-struct-converter/Makefile @@ -0,0 +1,81 @@ +TEMPDIR = ./.tmp + +# commands and versions +LINTCMD = $(TEMPDIR)/golangci-lint run --tests=false --timeout=5m --config .golangci.yaml +GOIMPORTS_CMD = $(TEMPDIR)/gosimports -local github.com/anchore + +# tool versions +GOLANGCILINT_VERSION = v1.50.1 +GOSIMPORTS_VERSION = v0.3.4 +BOUNCER_VERSION = v0.4.0 + +# formatting variables +BOLD := $(shell tput -T linux bold) +PURPLE := $(shell tput -T linux setaf 5) +GREEN := $(shell tput -T linux setaf 2) +CYAN := $(shell tput -T linux setaf 6) +RED := $(shell tput -T linux setaf 1) +RESET := $(shell tput -T linux sgr0) +TITLE := $(BOLD)$(PURPLE) +SUCCESS := $(BOLD)$(GREEN) + +# test variables +RESULTSDIR = test/results +COVER_REPORT = $(RESULTSDIR)/unit-coverage-details.txt +COVER_TOTAL = $(RESULTSDIR)/unit-coverage-summary.txt +# the quality gate lower threshold for unit test total % coverage (by function statements) +COVERAGE_THRESHOLD := 80 + +$(RESULTSDIR): + mkdir -p $(RESULTSDIR) + +$(TEMPDIR): + mkdir -p $(TEMPDIR) + +.PHONY: bootstrap-tools +bootstrap-tools: $(TEMPDIR) + curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(TEMPDIR)/ $(GOLANGCILINT_VERSION) + curl -sSfL https://raw.githubusercontent.com/wagoodman/go-bouncer/master/bouncer.sh | sh -s -- -b $(TEMPDIR)/ $(BOUNCER_VERSION) + # the only difference between goimports and gosimports is that gosimports removes extra whitespace between import blocks (see https://github.com/golang/go/issues/20818) + GOBIN="$(realpath $(TEMPDIR))" go install github.com/rinchsan/gosimports/cmd/gosimports@$(GOSIMPORTS_VERSION) + +.PHONY: static-analysis +static-analysis: check-licenses lint + +.PHONY: lint +lint: ## Run gofmt + golangci lint checks + $(call title,Running linters) + # ensure there are no go fmt differences + @printf "files with gofmt issues: [$(shell gofmt -l -s .)]\n" + @test -z "$(shell gofmt -l -s .)" + + # run all golangci-lint rules + $(LINTCMD) + @[ -z "$(shell $(GOIMPORTS_CMD) -d .)" ] || (echo "goimports needs to be fixed" && false) + + # go tooling does not play well with certain filename characters, ensure the common cases don't result in future "go get" failures + $(eval MALFORMED_FILENAMES := $(shell find . | grep -e ':')) + @bash -c "[[ '$(MALFORMED_FILENAMES)' == '' ]] || (printf '\nfound unsupported filename characters:\n$(MALFORMED_FILENAMES)\n\n' && false)" + +.PHONY: lint-fix +lint-fix: ## Auto-format all source code + run golangci lint fixers + $(call title,Running lint fixers) + gofmt -w -s . + $(GOIMPORTS_CMD) -w . + $(LINTCMD) --fix + go mod tidy + +.PHONY: check-licenses +check-licenses: ## Ensure transitive dependencies are compliant with the current license policy + $(TEMPDIR)/bouncer check ./... + +.PHONY: unit +unit: $(RESULTSDIR) ## Run unit tests (with coverage) + $(call title,Running unit tests) + go test -coverprofile $(COVER_REPORT) $(shell go list ./... | grep -v anchore/syft/test) + @go tool cover -func $(COVER_REPORT) | grep total | awk '{print substr($$3, 1, length($$3)-1)}' > $(COVER_TOTAL) + @echo "Coverage: $$(cat $(COVER_TOTAL))" + @if [ $$(echo "$$(cat $(COVER_TOTAL)) >= $(COVERAGE_THRESHOLD)" | bc -l) -ne 1 ]; then echo "$(RED)$(BOLD)Failed coverage quality gate (> $(COVERAGE_THRESHOLD)%)$(RESET)" && false; fi + +.PHONY: test +test: unit diff --git a/vendor/github.com/anchore/go-struct-converter/README.md b/vendor/github.com/anchore/go-struct-converter/README.md new file mode 100644 index 000000000..06d8e4311 --- /dev/null +++ b/vendor/github.com/anchore/go-struct-converter/README.md @@ -0,0 +1,166 @@ +# Go `struct` Converter + +A library for converting between Go structs. + +```go +chain := converter.NewChain(V1{}, V2{}, V3{}) + +chain.Convert(myV1struct, &myV3struct) +``` + +## Details + +At its core, this library provides a `Convert` function, which automatically +handles converting fields with the same name, and "convertable" +types. Some examples are: +* `string` -> `string` +* `string` -> `*string` +* `int` -> `string` +* `string` -> `[]string` + +The automatic conversions are implemented when there is an obvious way +to convert between the types. A lot more automatic conversions happen +-- see [the converter tests](converter_test.go) for a more comprehensive +list of what is currently supported. + +Not everything can be handled automatically, however, so there is also +a `ConvertFrom` interface any struct in the graph can implement to +perform custom conversion, similar to how the stdlib `MarshalJSON` and +`UnmarshalJSON` would be implemented. + +Additionally, and maybe most importantly, there is a `converter.Chain` available, +which orchestrates conversions between _multiple versions_ of structs. This could +be thought of similar to database migrations: given a starting struct and a target +struct, the `chain.Convert` function iterates through every intermediary migration +in order to arrive at the target struct. + +## Basic Usage + +To illustrate usage we'll start with a few basic structs, some of which +implement the `ConvertFrom` interface due to breaking changes: + +```go +// --------- V1 struct definition below --------- + +type V1 struct { + Name string + OldField string +} + +// --------- V2 struct definition below --------- + +type V2 struct { + Name string + NewField string // this was a renamed field +} + +func (to *V2) ConvertFrom(from interface{}) error { + if from, ok := from.(V1); ok { // forward migration + to.NewField = from.OldField + } + return nil +} + +// --------- V3 struct definition below --------- + +type V3 struct { + Name []string + FinalField []string // this field was renamed and the type was changed +} + +func (to *V3) ConvertFrom(from interface{}) error { + if from, ok := from.(V2); ok { // forward migration + to.FinalField = []string{from.NewField} + } + return nil +} +``` + +Given these type definitions, we can easily set up a conversion chain +like this: + +```go +chain := converter.NewChain(V1{}, V2{}, V3{}) +``` + +This chain can then be used to convert from an _older version_ to a _newer +version_. This is because our `ConvertFrom` definitions are only handling +_forward_ migrations. + +This chain can be used to convert from a `V1` struct to a `V3` struct easily, +like this: + +```go +v1 := // somehow get a populated v1 struct +v3 := V3{} +chain.Convert(v1, &v3) +``` + +Since we've defined our chain as `V1` → `V2` → `V3`, the chain will execute +conversions to all intermediary structs (`V2`, in this case) and ultimately end +when we've populated the `v3` instance. + +Note we haven't needed to define any conversions on the `Name` field of any structs +since this one is convertible between structs: `string` → `string` → `[]string`. + +## Backwards Migrations + +If we wanted to _also_ provide backwards migrations, we could also easily add a case +to the `ConvertFrom` methods. The whole set of structs would look something like this: + + +```go +// --------- V1 struct definition below --------- + +type V1 struct { + Name string + OldField string +} + +func (to *V1) ConvertFrom(from interface{}) error { + if from, ok := from.(V2); ok { // backward migration + to.OldField = from.NewField + } + return nil +} + +// --------- V2 struct definition below --------- + +type V2 struct { + Name string + NewField string +} + +func (to *V2) ConvertFrom(from interface{}) error { + if from, ok := from.(V1); ok { // forward migration + to.NewField = from.OldField + } + if from, ok := from.(V3); ok { // backward migration + to.NewField = from.FinalField[0] + } + return nil +} + +// --------- V3 struct definition below --------- + +type V3 struct { + Name []string + FinalField []string +} + +func (to *V3) ConvertFrom(from interface{}) error { + if from, ok := from.(V2); ok { // forward migration + to.FinalField = []string{from.NewField} + } + return nil +} +``` + +At this point we could convert in either direction, for example a +`V3` struct could convert to a `V1` struct, with the caveat that there +may be data loss, as might need to happen due to changes in the data shapes. + +## Contributing + +If you would like to contribute to this repository, please see the +[CONTRIBUTING.md](CONTRIBUTING.md). diff --git a/vendor/github.com/anchore/go-struct-converter/chain.go b/vendor/github.com/anchore/go-struct-converter/chain.go new file mode 100644 index 000000000..41aa0e1d7 --- /dev/null +++ b/vendor/github.com/anchore/go-struct-converter/chain.go @@ -0,0 +1,95 @@ +package converter + +import ( + "fmt" + "reflect" +) + +// NewChain takes a set of structs, in order, to allow for accurate chain.Convert(from, &to) calls. NewChain should +// be called with struct values in a manner similar to this: +// converter.NewChain(v1.Document{}, v2.Document{}, v3.Document{}) +func NewChain(structs ...interface{}) Chain { + out := Chain{} + for _, s := range structs { + typ := reflect.TypeOf(s) + if isPtr(typ) { // these shouldn't be pointers, but check just to be safe + typ = typ.Elem() + } + out.Types = append(out.Types, typ) + } + return out +} + +// Chain holds a set of types with which to migrate through when a `chain.Convert` call is made +type Chain struct { + Types []reflect.Type +} + +// Convert converts from one type in the chain to the target type, calling each conversion in between +func (c Chain) Convert(from interface{}, to interface{}) (err error) { + fromValue := reflect.ValueOf(from) + fromType := fromValue.Type() + + // handle incoming pointers + for isPtr(fromType) { + fromValue = fromValue.Elem() + fromType = fromType.Elem() + } + + toValuePtr := reflect.ValueOf(to) + toTypePtr := toValuePtr.Type() + + if !isPtr(toTypePtr) { + return fmt.Errorf("TO struct provided not a pointer, unable to set values: %v", to) + } + + // toValue must be a pointer but need a reference to the struct type directly + toValue := toValuePtr.Elem() + toType := toValue.Type() + + fromIdx := -1 + toIdx := -1 + + for i, typ := range c.Types { + if typ == fromType { + fromIdx = i + } + if typ == toType { + toIdx = i + } + } + + if fromIdx == -1 { + return fmt.Errorf("invalid FROM type provided, not in the conversion chain: %s", fromType.Name()) + } + + if toIdx == -1 { + return fmt.Errorf("invalid TO type provided, not in the conversion chain: %s", toType.Name()) + } + + last := from + for i := fromIdx; i != toIdx; { + // skip the first index, because that is the from type - start with the next conversion in the chain + if fromIdx < toIdx { + i++ + } else { + i-- + } + + var next interface{} + if i == toIdx { + next = to + } else { + nextVal := reflect.New(c.Types[i]) + next = nextVal.Interface() // this will be a pointer, which is fine to pass to both from and to in Convert + } + + if err = Convert(last, next); err != nil { + return err + } + + last = next + } + + return nil +} diff --git a/vendor/github.com/anchore/go-struct-converter/converter.go b/vendor/github.com/anchore/go-struct-converter/converter.go new file mode 100644 index 000000000..57d1b332d --- /dev/null +++ b/vendor/github.com/anchore/go-struct-converter/converter.go @@ -0,0 +1,334 @@ +package converter + +import ( + "fmt" + "reflect" + "strconv" +) + +// ConvertFrom interface allows structs to define custom conversion functions if the automated reflection-based Convert +// is not able to convert properties due to name changes or other factors. +type ConvertFrom interface { + ConvertFrom(interface{}) error +} + +// Convert takes two objects, e.g. v2_1.Document and &v2_2.Document{} and attempts to map all the properties from one +// to the other. After the automatic mapping, if a struct implements the ConvertFrom interface, this is called to +// perform any additional conversion logic necessary. +func Convert(from interface{}, to interface{}) error { + fromValue := reflect.ValueOf(from) + + toValuePtr := reflect.ValueOf(to) + toTypePtr := toValuePtr.Type() + + if !isPtr(toTypePtr) { + return fmt.Errorf("TO value provided was not a pointer, unable to set value: %v", to) + } + + toValue, err := getValue(fromValue, toTypePtr) + if err != nil { + return err + } + + // don't set nil values + if toValue == nilValue { + return nil + } + + // toValuePtr is the passed-in pointer, toValue is also the same type of pointer + toValuePtr.Elem().Set(toValue.Elem()) + return nil +} + +func getValue(fromValue reflect.Value, targetType reflect.Type) (reflect.Value, error) { + var err error + + fromType := fromValue.Type() + + var toValue reflect.Value + + // handle incoming pointer Types + if isPtr(fromType) { + if fromValue.IsNil() { + return nilValue, nil + } + fromValue = fromValue.Elem() + if !fromValue.IsValid() || fromValue.IsZero() { + return nilValue, nil + } + fromType = fromValue.Type() + } + + baseTargetType := targetType + if isPtr(targetType) { + baseTargetType = targetType.Elem() + } + + switch { + case isStruct(fromType) && isStruct(baseTargetType): + // this always creates a pointer type + toValue = reflect.New(baseTargetType) + toValue = toValue.Elem() + + for i := 0; i < fromType.NumField(); i++ { + fromField := fromType.Field(i) + fromFieldValue := fromValue.Field(i) + + toField, exists := baseTargetType.FieldByName(fromField.Name) + if !exists { + continue + } + toFieldType := toField.Type + + toFieldValue := toValue.FieldByName(toField.Name) + + newValue, err := getValue(fromFieldValue, toFieldType) + if err != nil { + return nilValue, err + } + + if newValue == nilValue { + continue + } + + toFieldValue.Set(newValue) + } + + // allow structs to implement a custom convert function from previous/next version struct + if reflect.PtrTo(baseTargetType).Implements(convertFromType) { + convertFrom := toValue.Addr().MethodByName(convertFromName) + if !convertFrom.IsValid() { + return nilValue, fmt.Errorf("unable to get ConvertFrom method") + } + args := []reflect.Value{fromValue} + out := convertFrom.Call(args) + err := out[0].Interface() + if err != nil { + return nilValue, fmt.Errorf("an error occurred calling %s.%s: %v", baseTargetType.Name(), convertFromName, err) + } + } + case isSlice(fromType) && isSlice(baseTargetType): + if fromValue.IsNil() { + return nilValue, nil + } + + length := fromValue.Len() + targetElementType := baseTargetType.Elem() + toValue = reflect.MakeSlice(baseTargetType, length, length) + for i := 0; i < length; i++ { + v, err := getValue(fromValue.Index(i), targetElementType) + if err != nil { + return nilValue, err + } + if v.IsValid() { + toValue.Index(i).Set(v) + } + } + case isMap(fromType) && isMap(baseTargetType): + if fromValue.IsNil() { + return nilValue, nil + } + + keyType := baseTargetType.Key() + elementType := baseTargetType.Elem() + toValue = reflect.MakeMap(baseTargetType) + for _, fromKey := range fromValue.MapKeys() { + fromVal := fromValue.MapIndex(fromKey) + k, err := getValue(fromKey, keyType) + if err != nil { + return nilValue, err + } + v, err := getValue(fromVal, elementType) + if err != nil { + return nilValue, err + } + if k == nilValue || v == nilValue { + continue + } + if v == nilValue { + continue + } + if k.IsValid() && v.IsValid() { + toValue.SetMapIndex(k, v) + } + } + default: + // TODO determine if there are other conversions + toValue = fromValue + } + + // handle non-pointer returns -- the reflect.New earlier always creates a pointer + if !isPtr(baseTargetType) { + toValue = fromPtr(toValue) + } + + toValue, err = convertValueTypes(toValue, baseTargetType) + + if err != nil { + return nilValue, err + } + + // handle elements which are now pointers + if isPtr(targetType) { + toValue = toPtr(toValue) + } + + return toValue, nil +} + +// convertValueTypes takes a value and a target type, and attempts to convert +// between the Types - e.g. string -> int. when this function is called the value +func convertValueTypes(value reflect.Value, targetType reflect.Type) (reflect.Value, error) { + typ := value.Type() + switch { + // if the Types are the same, just return the value + case typ.Kind() == targetType.Kind(): + return value, nil + case value.IsZero() && isPrimitive(targetType): + + case isPrimitive(typ) && isPrimitive(targetType): + // get a string representation of the value + str := fmt.Sprintf("%v", value.Interface()) // TODO is there a better way to get a string representation? + var err error + var out interface{} + switch { + case isString(targetType): + out = str + case isBool(targetType): + out, err = strconv.ParseBool(str) + case isInt(targetType): + out, err = strconv.Atoi(str) + case isUint(targetType): + out, err = strconv.ParseUint(str, 10, 64) + case isFloat(targetType): + out, err = strconv.ParseFloat(str, 64) + } + + if err != nil { + return nilValue, err + } + + v := reflect.ValueOf(out) + + v = v.Convert(targetType) + + return v, nil + case isSlice(typ) && isSlice(targetType): + // this should already be handled in getValue + case isSlice(typ): + // this may be lossy + if value.Len() > 0 { + v := value.Index(0) + v, err := convertValueTypes(v, targetType) + if err != nil { + return nilValue, err + } + return v, nil + } + return convertValueTypes(nilValue, targetType) + case isSlice(targetType): + elementType := targetType.Elem() + v, err := convertValueTypes(value, elementType) + if err != nil { + return nilValue, err + } + if v == nilValue { + return v, nil + } + slice := reflect.MakeSlice(targetType, 1, 1) + slice.Index(0).Set(v) + return slice, nil + } + + return nilValue, fmt.Errorf("unable to convert from: %v to %v", value.Interface(), targetType.Name()) +} + +func isPtr(typ reflect.Type) bool { + return typ.Kind() == reflect.Ptr +} + +func isPrimitive(typ reflect.Type) bool { + return isString(typ) || isBool(typ) || isInt(typ) || isUint(typ) || isFloat(typ) +} + +func isString(typ reflect.Type) bool { + return typ.Kind() == reflect.String +} + +func isBool(typ reflect.Type) bool { + return typ.Kind() == reflect.Bool +} + +func isInt(typ reflect.Type) bool { + switch typ.Kind() { + case reflect.Int, + reflect.Int8, + reflect.Int16, + reflect.Int32, + reflect.Int64: + return true + } + return false +} + +func isUint(typ reflect.Type) bool { + switch typ.Kind() { + case reflect.Uint, + reflect.Uint8, + reflect.Uint16, + reflect.Uint32, + reflect.Uint64: + return true + } + return false +} + +func isFloat(typ reflect.Type) bool { + switch typ.Kind() { + case reflect.Float32, + reflect.Float64: + return true + } + return false +} + +func isStruct(typ reflect.Type) bool { + return typ.Kind() == reflect.Struct +} + +func isSlice(typ reflect.Type) bool { + return typ.Kind() == reflect.Slice +} + +func isMap(typ reflect.Type) bool { + return typ.Kind() == reflect.Map +} + +func toPtr(val reflect.Value) reflect.Value { + typ := val.Type() + if !isPtr(typ) { + // this creates a pointer type inherently + ptrVal := reflect.New(typ) + ptrVal.Elem().Set(val) + val = ptrVal + } + return val +} + +func fromPtr(val reflect.Value) reflect.Value { + if isPtr(val.Type()) { + val = val.Elem() + } + return val +} + +// convertFromName constant to find the ConvertFrom method +const convertFromName = "ConvertFrom" + +var ( + // nilValue is returned in a number of cases when a value should not be set + nilValue = reflect.ValueOf(nil) + + // convertFromType is the type to check for ConvertFrom implementations + convertFromType = reflect.TypeOf((*ConvertFrom)(nil)).Elem() +) diff --git a/vendor/github.com/aquasecurity/trivy/pkg/fanal/types/artifact.go b/vendor/github.com/aquasecurity/trivy/pkg/fanal/types/artifact.go index 86870d52e..cd005c658 100644 --- a/vendor/github.com/aquasecurity/trivy/pkg/fanal/types/artifact.go +++ b/vendor/github.com/aquasecurity/trivy/pkg/fanal/types/artifact.go @@ -10,7 +10,6 @@ import ( "github.com/samber/lo" "github.com/aquasecurity/trivy/pkg/digest" - "github.com/aquasecurity/trivy/pkg/sbom/core" ) type OS struct { @@ -278,7 +277,7 @@ type ArtifactReference struct { ImageMetadata ImageMetadata // SBOM - BOM *core.BOM + CycloneDX *CycloneDX } type ImageMetadata struct { diff --git a/vendor/github.com/aquasecurity/trivy/pkg/fanal/types/const.go b/vendor/github.com/aquasecurity/trivy/pkg/fanal/types/const.go index b46b36a8d..fca6a6b5d 100644 --- a/vendor/github.com/aquasecurity/trivy/pkg/fanal/types/const.go +++ b/vendor/github.com/aquasecurity/trivy/pkg/fanal/types/const.go @@ -81,26 +81,17 @@ const ( OCP LangType = "ocp" // Red Hat OpenShift Container Platform ) -var AggregatingTypes = []LangType{ - PythonPkg, - CondaPkg, - GemSpec, - NodePkg, - Jar, -} - // Config files const ( - JSON ConfigType = "json" - Dockerfile ConfigType = "dockerfile" - Terraform ConfigType = "terraform" - TerraformPlanJSON ConfigType = "terraformplan" - TerraformPlanSnapshot ConfigType = "terraformplan-snapshot" - CloudFormation ConfigType = "cloudformation" - Kubernetes ConfigType = "kubernetes" - Helm ConfigType = "helm" - Cloud ConfigType = "cloud" - AzureARM ConfigType = "azure-arm" + JSON ConfigType = "json" + Dockerfile ConfigType = "dockerfile" + Terraform ConfigType = "terraform" + TerraformPlan ConfigType = "terraformplan" + CloudFormation ConfigType = "cloudformation" + Kubernetes ConfigType = "kubernetes" + Helm ConfigType = "helm" + Cloud ConfigType = "cloud" + AzureARM ConfigType = "azure-arm" ) // Language-specific file names diff --git a/vendor/github.com/aquasecurity/trivy/pkg/fanal/types/image.go b/vendor/github.com/aquasecurity/trivy/pkg/fanal/types/image.go index 91cdfb44b..7726169ce 100644 --- a/vendor/github.com/aquasecurity/trivy/pkg/fanal/types/image.go +++ b/vendor/github.com/aquasecurity/trivy/pkg/fanal/types/image.go @@ -60,7 +60,7 @@ type DockerOptions struct { } type PodmanOptions struct { - Host string + // Add Podman-specific options } type ContainerdOptions struct { diff --git a/vendor/github.com/aquasecurity/trivy/pkg/fanal/types/sbom.go b/vendor/github.com/aquasecurity/trivy/pkg/fanal/types/sbom.go new file mode 100644 index 000000000..b63f9c31b --- /dev/null +++ b/vendor/github.com/aquasecurity/trivy/pkg/fanal/types/sbom.go @@ -0,0 +1,36 @@ +package types + +// CycloneDX re-defines only necessary fields from cyclondx/cyclonedx-go +// cf. https://github.com/CycloneDX/cyclonedx-go/blob/de6bc07025d148badc8f6699ccb556744a5f4070/cyclonedx.go#L58-L77 +// +// The encoding/xml package that cyclondx-go depends on cannot be imported due to some limitations in TinyGo. +// cf. https://tinygo.org/docs/reference/lang-support/stdlib/ +type CycloneDX struct { + // JSON specific fields + BOMFormat string `json:"bomFormat" xml:"-"` + SpecVersion SpecVersion `json:"specVersion" xml:"-"` + + SerialNumber string `json:"serialNumber,omitempty" xml:"serialNumber,attr,omitempty"` + Version int `json:"version" xml:"version,attr"` + Metadata Metadata `json:"metadata,omitempty" xml:"metadata,omitempty"` + Components []Component `json:"components,omitempty" xml:"components>component,omitempty"` +} + +type Metadata struct { + Timestamp string `json:"timestamp,omitempty" xml:"timestamp,omitempty"` + Component Component `json:"component,omitempty" xml:"component,omitempty"` +} + +type Component struct { + BOMRef string `json:"bom-ref,omitempty" xml:"bom-ref,attr,omitempty"` + MIMEType string `json:"mime-type,omitempty" xml:"mime-type,attr,omitempty"` + Type ComponentType `json:"type" xml:"type,attr"` + Name string `json:"name" xml:"name"` + Version string `json:"version,omitempty" xml:"version,omitempty"` + PackageURL string `json:"purl,omitempty" xml:"purl,omitempty"` +} + +type ( + ComponentType string + SpecVersion int +) diff --git a/vendor/github.com/aquasecurity/trivy/pkg/sbom/core/bom.go b/vendor/github.com/aquasecurity/trivy/pkg/sbom/core/bom.go deleted file mode 100644 index 54755a81e..000000000 --- a/vendor/github.com/aquasecurity/trivy/pkg/sbom/core/bom.go +++ /dev/null @@ -1,321 +0,0 @@ -package core - -import ( - "sort" - - "github.com/package-url/packageurl-go" - - dtypes "github.com/aquasecurity/trivy-db/pkg/types" - "github.com/aquasecurity/trivy/pkg/digest" - "github.com/aquasecurity/trivy/pkg/uuid" -) - -const ( - TypeFilesystem ComponentType = "filesystem" - TypeRepository ComponentType = "repository" - TypeContainerImage ComponentType = "container_image" - TypeVM ComponentType = "vm" - TypeApplication ComponentType = "application" - TypeLibrary ComponentType = "library" - TypeOS ComponentType = "os" - TypePlatform ComponentType = "platform" - - // Metadata properties - PropertySchemaVersion = "SchemaVersion" - PropertyType = "Type" - PropertyClass = "Class" - - // Image properties - PropertySize = "Size" - PropertyImageID = "ImageID" - PropertyRepoDigest = "RepoDigest" - PropertyDiffID = "DiffID" - PropertyRepoTag = "RepoTag" - - // Package properties - PropertyPkgID = "PkgID" - PropertyPkgType = "PkgType" - PropertySrcName = "SrcName" - PropertySrcVersion = "SrcVersion" - PropertySrcRelease = "SrcRelease" - PropertySrcEpoch = "SrcEpoch" - PropertyModularitylabel = "Modularitylabel" - PropertyFilePath = "FilePath" - PropertyLayerDigest = "LayerDigest" - PropertyLayerDiffID = "LayerDiffID" - - // Relationships - RelationshipDescribes RelationshipType = "describes" - RelationshipContains RelationshipType = "contains" - RelationshipDependsOn RelationshipType = "depends_on" -) - -type ComponentType string -type RelationshipType string - -// BOM represents an intermediate representation of a component for SBOM. -type BOM struct { - SerialNumber string - Version int - - rootID uuid.UUID - components map[uuid.UUID]*Component - relationships map[uuid.UUID][]Relationship - - // Vulnerabilities is a list of vulnerabilities that affect the component. - // CycloneDX: vulnerabilities - // SPDX: N/A - vulnerabilities map[uuid.UUID][]Vulnerability - - // purls is a map of package URLs to UUIDs - // This is used to ensure that each package URL is only represented once in the BOM. - purls map[string][]uuid.UUID - - // opts is a set of options for the BOM. - opts Options -} - -type Component struct { - // id is the unique identifier of the component for internal use. - // It's transparently generated by UUIDv4 - id uuid.UUID - - // Type is the type of the component - // CycloneDX: component.type - Type ComponentType - - // Root represents the root of the BOM - // Only one root is allowed in a BOM. - // CycloneDX: metadata.component - Root bool - - // Name is the name of the component - // CycloneDX: component.name - // SPDX: package.name - Name string - - // Group is the group of the component - // CycloneDX: component.group - // SPDX: N/A - Group string - - // Version is the version of the component - // CycloneDX: component.version - // SPDX: package.versionInfo - Version string - - // SrcName is the name of the source component - // CycloneDX: N/A - // SPDX: package.sourceInfo - SrcName string - - // SrcVersion is the version of the source component - // CycloneDX: N/A - // SPDX: package.sourceInfo - SrcVersion string - - // SrcFile is the file path where the component is found. - // CycloneDX: N/A - // SPDX: package.sourceInfo - SrcFile string - - // Licenses is a list of licenses that apply to the component - // CycloneDX: component.licenses - // SPDX: package.licenseConcluded, package.licenseDeclared - Licenses []string - - // PkgID has PURL and BOMRef for the component - // PURL: - // CycloneDX: component.purl - // SPDX: package.externalRefs.referenceLocator - // BOMRef: - // CycloneDX: component.bom-ref - // SPDX: N/A - PkgID PkgID - - // Supplier is the name of the supplier of the component - // CycloneDX: component.supplier - // SPDX: package.supplier - Supplier string - - // Files is a list of files that are part of the component. - // CycloneDX: component.properties - // SPDX: files - Files []File - - // Properties is a list of key-value pairs that provide additional information about the component - // CycloneDX: component.properties - // SPDX: package.attributionTexts - Properties Properties `hash:"set"` -} - -func (c *Component) ID() uuid.UUID { - return c.id -} - -type File struct { - // Path is a path of the file. - // CycloneDX: N/A - // SPDX: package.files[].fileName - Path string - - // Hash is a hash that uniquely identify the component. - // A file can have several digests with different algorithms, like SHA1, SHA256, etc. - // CycloneDX: component.hashes - // SPDX: package.files[].checksums - Digests []digest.Digest -} - -type Property struct { - Name string - Value string - Namespace string -} - -type Properties []Property - -func (p Properties) Len() int { return len(p) } -func (p Properties) Less(i, j int) bool { - if p[i].Name != p[j].Name { - return p[i].Name < p[j].Name - } - return p[i].Value < p[j].Value -} -func (p Properties) Swap(i, j int) { p[i], p[j] = p[j], p[i] } - -type Relationship struct { - Dependency uuid.UUID - Type RelationshipType -} - -type PkgID struct { - PURL *packageurl.PackageURL - BOMRef string -} - -type Vulnerability struct { - dtypes.Vulnerability - ID string - PkgID string - PkgName string - InstalledVersion string - FixedVersion string - PrimaryURL string - DataSource *dtypes.DataSource -} - -type Options struct { - GenerateBOMRef bool -} - -func NewBOM(opts Options) *BOM { - return &BOM{ - components: make(map[uuid.UUID]*Component), - relationships: make(map[uuid.UUID][]Relationship), - vulnerabilities: make(map[uuid.UUID][]Vulnerability), - purls: make(map[string][]uuid.UUID), - opts: opts, - } -} - -func (b *BOM) setupComponent(c *Component) { - if c.id == uuid.Nil { - c.id = uuid.New() - } - if c.PkgID.PURL != nil { - p := c.PkgID.PURL.String() - b.purls[p] = append(b.purls[p], c.id) - } - sort.Sort(c.Properties) -} - -func (b *BOM) AddComponent(c *Component) { - b.setupComponent(c) - if c.Root { - b.rootID = c.id - } - b.components[c.id] = c -} - -func (b *BOM) AddRelationship(parent, child *Component, relationshipType RelationshipType) { - if parent.id == uuid.Nil { - b.AddComponent(parent) - } - - if child == nil { - b.relationships[parent.id] = nil // Meaning no dependencies - return - } - - if child.id == uuid.Nil { - b.AddComponent(child) - } - - b.relationships[parent.id] = append(b.relationships[parent.id], Relationship{ - Type: relationshipType, - Dependency: child.id, - }) -} - -func (b *BOM) AddVulnerabilities(c *Component, vulns []Vulnerability) { - if c.id == uuid.Nil { - b.AddComponent(c) - } - if _, ok := b.vulnerabilities[c.id]; ok { - return - } - b.vulnerabilities[c.id] = vulns -} - -func (b *BOM) Root() *Component { - root, ok := b.components[b.rootID] - if !ok { - return nil - } - if b.opts.GenerateBOMRef { - root.PkgID.BOMRef = b.bomRef(root) - } - return root -} - -func (b *BOM) Components() map[uuid.UUID]*Component { - // Fill in BOMRefs for components - if b.opts.GenerateBOMRef { - for id, c := range b.components { - b.components[id].PkgID.BOMRef = b.bomRef(c) - } - } - return b.components -} - -func (b *BOM) Relationships() map[uuid.UUID][]Relationship { - return b.relationships -} - -func (b *BOM) Vulnerabilities() map[uuid.UUID][]Vulnerability { - return b.vulnerabilities -} - -func (b *BOM) NumComponents() int { - return len(b.components) + 1 // +1 for the root component -} - -// bomRef returns BOMRef for CycloneDX -// When multiple lock files have the same dependency with the same name and version, PURL in the BOM can conflict. -// In that case, PURL cannot be used as a unique identifier, and UUIDv4 be used for BOMRef. -func (b *BOM) bomRef(c *Component) string { - if c.PkgID.BOMRef != "" { - return c.PkgID.BOMRef - } - // Return the UUID of the component if the PURL is not present. - if c.PkgID.PURL == nil { - return c.id.String() - } - p := c.PkgID.PURL.String() - - // Return the UUID of the component if the PURL is not unique in the BOM. - if len(b.purls[p]) > 1 { - return c.id.String() - } - return p -} diff --git a/vendor/github.com/aquasecurity/trivy/pkg/types/finding.go b/vendor/github.com/aquasecurity/trivy/pkg/types/finding.go deleted file mode 100644 index 9e194b8e6..000000000 --- a/vendor/github.com/aquasecurity/trivy/pkg/types/finding.go +++ /dev/null @@ -1,47 +0,0 @@ -package types - -type FindingType string -type FindingStatus string - -const ( - FindingTypeVulnerability FindingType = "vulnerability" - FindingTypeMisconfiguration FindingType = "misconfiguration" - FindingTypeSecret FindingType = "secret" - FindingTypeLicense FindingType = "license" - - FindingStatusIgnored FindingStatus = "ignored" // Trivy - FindingStatusUnknown FindingStatus = "unknown" // Trivy - FindingStatusNotAffected FindingStatus = "not_affected" // VEX - FindingStatusAffected FindingStatus = "affected" // VEX - FindingStatusFixed FindingStatus = "fixed" // VEX - FindingStatusUnderInvestigation FindingStatus = "under_investigation" // VEX -) - -// Finding represents one of the findings that Trivy can detect, -// such as vulnerabilities, misconfigurations, secrets, and licenses. -type finding interface { - findingType() FindingType -} - -// ModifiedFinding represents a security finding that has been modified by an external source, -// such as .trivyignore and VEX. Currently, it is primarily used to account for vulnerabilities -// that are ignored via .trivyignore or identified as not impactful through VEX. -// However, it is planned to also store vulnerabilities whose severity has been adjusted by VEX, -// or that have been detected through Wasm modules in the future. -type ModifiedFinding struct { - Type FindingType - Status FindingStatus - Statement string - Source string - Finding finding // one of findings -} - -func NewModifiedFinding(f finding, status FindingStatus, statement, source string) ModifiedFinding { - return ModifiedFinding{ - Type: f.findingType(), - Status: status, - Statement: statement, - Source: source, - Finding: f, - } -} diff --git a/vendor/github.com/aquasecurity/trivy/pkg/types/license.go b/vendor/github.com/aquasecurity/trivy/pkg/types/license.go index baca0328a..5cf94a9e2 100644 --- a/vendor/github.com/aquasecurity/trivy/pkg/types/license.go +++ b/vendor/github.com/aquasecurity/trivy/pkg/types/license.go @@ -29,5 +29,3 @@ type DetectedLicense struct { // Link is a SPDX link of the license Link string } - -func (DetectedLicense) findingType() FindingType { return FindingTypeLicense } diff --git a/vendor/github.com/aquasecurity/trivy/pkg/types/misconfiguration.go b/vendor/github.com/aquasecurity/trivy/pkg/types/misconfiguration.go index ebd21a23d..29e5828e2 100644 --- a/vendor/github.com/aquasecurity/trivy/pkg/types/misconfiguration.go +++ b/vendor/github.com/aquasecurity/trivy/pkg/types/misconfiguration.go @@ -28,14 +28,17 @@ type DetectedMisconfiguration struct { type MisconfStatus string const ( - // MisconfStatusPassed represents successful status - MisconfStatusPassed MisconfStatus = "PASS" + // StatusPassed represents successful status + StatusPassed MisconfStatus = "PASS" - // MisconfStatusFailure represents failure status - MisconfStatusFailure MisconfStatus = "FAIL" + // StatusFailure represents failure status + StatusFailure MisconfStatus = "FAIL" - // MisconfStatusException Passed represents the status of exception - MisconfStatusException MisconfStatus = "EXCEPTION" + // StatusException Passed represents the status of exception + StatusException MisconfStatus = "EXCEPTION" ) -func (DetectedMisconfiguration) findingType() FindingType { return FindingTypeMisconfiguration } +// GetID retrun misconfig ID +func (mc *DetectedMisconfiguration) GetID() string { + return mc.AVDID +} diff --git a/vendor/github.com/aquasecurity/trivy/pkg/types/report.go b/vendor/github.com/aquasecurity/trivy/pkg/types/report.go index e6c96d956..9d01a704a 100644 --- a/vendor/github.com/aquasecurity/trivy/pkg/types/report.go +++ b/vendor/github.com/aquasecurity/trivy/pkg/types/report.go @@ -6,7 +6,6 @@ import ( v1 "github.com/google/go-containerregistry/pkg/v1" // nolint: goimports ftypes "github.com/aquasecurity/trivy/pkg/fanal/types" - "github.com/aquasecurity/trivy/pkg/sbom/core" ) // Report represents a scan result @@ -18,8 +17,8 @@ type Report struct { Metadata Metadata `json:",omitempty"` Results Results `json:",omitempty"` - // parsed SBOM - BOM *core.BOM `json:"-"` // Just for internal usage, not exported in JSON + // SBOM + CycloneDX *ftypes.CycloneDX `json:"-"` // Just for internal usage, not exported in JSON } // Metadata represents a metadata of artifact @@ -109,19 +108,14 @@ type Result struct { Vulnerabilities []DetectedVulnerability `json:"Vulnerabilities,omitempty"` MisconfSummary *MisconfSummary `json:"MisconfSummary,omitempty"` Misconfigurations []DetectedMisconfiguration `json:"Misconfigurations,omitempty"` - Secrets []DetectedSecret `json:"Secrets,omitempty"` + Secrets []ftypes.SecretFinding `json:"Secrets,omitempty"` Licenses []DetectedLicense `json:"Licenses,omitempty"` CustomResources []ftypes.CustomResource `json:"CustomResources,omitempty"` - - // ModifiedFindings holds a list of findings that have been modified from their original state. - // This can include vulnerabilities that have been marked as ignored, not affected, or have had - // their severity adjusted. It is currently available only in the table format. - ModifiedFindings []ModifiedFinding `json:"-"` } func (r *Result) IsEmpty() bool { return len(r.Packages) == 0 && len(r.Vulnerabilities) == 0 && len(r.Misconfigurations) == 0 && - len(r.Secrets) == 0 && len(r.Licenses) == 0 && len(r.CustomResources) == 0 && len(r.ModifiedFindings) == 0 + len(r.Secrets) == 0 && len(r.Licenses) == 0 && len(r.CustomResources) == 0 } type MisconfSummary struct { @@ -141,7 +135,7 @@ func (results Results) Failed() bool { return true } for _, m := range r.Misconfigurations { - if m.Status == MisconfStatusFailure { + if m.Status == StatusFailure { return true } } diff --git a/vendor/github.com/aquasecurity/trivy/pkg/types/sbom.go b/vendor/github.com/aquasecurity/trivy/pkg/types/sbom.go index 82f6139e4..61d21b7d7 100644 --- a/vendor/github.com/aquasecurity/trivy/pkg/types/sbom.go +++ b/vendor/github.com/aquasecurity/trivy/pkg/types/sbom.go @@ -1,21 +1,22 @@ package types import ( - ftypes "github.com/aquasecurity/trivy/pkg/fanal/types" - "github.com/aquasecurity/trivy/pkg/sbom/core" -) + stypes "github.com/spdx/tools-golang/spdx" -type SBOMSource = string + "github.com/aquasecurity/trivy/pkg/fanal/types" +) type SBOM struct { - Metadata Metadata + OS types.OS + Packages []types.PackageInfo + Applications []types.Application - Packages []ftypes.PackageInfo - Applications []ftypes.Application - - BOM *core.BOM + CycloneDX *types.CycloneDX + SPDX *stypes.Document } +type SBOMSource = string + const ( SBOMSourceOCI = SBOMSource("oci") SBOMSourceRekor = SBOMSource("rekor") diff --git a/vendor/github.com/aquasecurity/trivy/pkg/types/secret.go b/vendor/github.com/aquasecurity/trivy/pkg/types/secret.go deleted file mode 100644 index 4e8605957..000000000 --- a/vendor/github.com/aquasecurity/trivy/pkg/types/secret.go +++ /dev/null @@ -1,9 +0,0 @@ -package types - -import ( - ftypes "github.com/aquasecurity/trivy/pkg/fanal/types" -) - -type DetectedSecret ftypes.SecretFinding - -func (DetectedSecret) findingType() FindingType { return FindingTypeSecret } diff --git a/vendor/github.com/aquasecurity/trivy/pkg/types/vulnerability.go b/vendor/github.com/aquasecurity/trivy/pkg/types/vulnerability.go index 693b212d0..7e0d942cf 100644 --- a/vendor/github.com/aquasecurity/trivy/pkg/types/vulnerability.go +++ b/vendor/github.com/aquasecurity/trivy/pkg/types/vulnerability.go @@ -30,7 +30,10 @@ type DetectedVulnerability struct { types.Vulnerability } -func (DetectedVulnerability) findingType() FindingType { return FindingTypeVulnerability } +// GetID retrun Vulnerability ID +func (vuln *DetectedVulnerability) GetID() string { + return vuln.VulnerabilityID +} // BySeverity implements sort.Interface based on the Severity field. type BySeverity []DetectedVulnerability diff --git a/vendor/github.com/aquasecurity/trivy/pkg/uuid/uuid.go b/vendor/github.com/aquasecurity/trivy/pkg/uuid/uuid.go deleted file mode 100644 index 3e3ad456a..000000000 --- a/vendor/github.com/aquasecurity/trivy/pkg/uuid/uuid.go +++ /dev/null @@ -1,36 +0,0 @@ -//go:build !tinygo.wasm - -package uuid - -import ( - "fmt" - "testing" - - "github.com/google/uuid" -) - -type UUID = uuid.UUID - -var ( - newUUID func() uuid.UUID = uuid.New - Nil = uuid.Nil - MustParse = uuid.MustParse -) - -// SetFakeUUID sets a fake UUID for testing. -// The 'format' is used to generate a fake UUID and -// must contain a single '%d' which will be replaced with a counter. -func SetFakeUUID(t *testing.T, format string) { - var count int - newUUID = func() uuid.UUID { - count++ - return uuid.Must(uuid.Parse(fmt.Sprintf(format, count))) - } - t.Cleanup(func() { - newUUID = uuid.New - }) -} - -func New() UUID { - return newUUID() -} diff --git a/vendor/github.com/aquasecurity/trivy/pkg/uuid/uuid_tinygo.go b/vendor/github.com/aquasecurity/trivy/pkg/uuid/uuid_tinygo.go deleted file mode 100644 index fe328cea9..000000000 --- a/vendor/github.com/aquasecurity/trivy/pkg/uuid/uuid_tinygo.go +++ /dev/null @@ -1,13 +0,0 @@ -//go:build tinygo.wasm - -package uuid - -// TinyGo doesn't work with github.com/google/uuid - -type UUID string - -func (UUID) String() string { return "" } - -const Nil = "" - -func New() UUID { return "" } diff --git a/vendor/github.com/google/uuid/CHANGELOG.md b/vendor/github.com/google/uuid/CHANGELOG.md deleted file mode 100644 index 7ec5ac7ea..000000000 --- a/vendor/github.com/google/uuid/CHANGELOG.md +++ /dev/null @@ -1,41 +0,0 @@ -# Changelog - -## [1.6.0](https://github.com/google/uuid/compare/v1.5.0...v1.6.0) (2024-01-16) - - -### Features - -* add Max UUID constant ([#149](https://github.com/google/uuid/issues/149)) ([c58770e](https://github.com/google/uuid/commit/c58770eb495f55fe2ced6284f93c5158a62e53e3)) - - -### Bug Fixes - -* fix typo in version 7 uuid documentation ([#153](https://github.com/google/uuid/issues/153)) ([016b199](https://github.com/google/uuid/commit/016b199544692f745ffc8867b914129ecb47ef06)) -* Monotonicity in UUIDv7 ([#150](https://github.com/google/uuid/issues/150)) ([a2b2b32](https://github.com/google/uuid/commit/a2b2b32373ff0b1a312b7fdf6d38a977099698a6)) - -## [1.5.0](https://github.com/google/uuid/compare/v1.4.0...v1.5.0) (2023-12-12) - - -### Features - -* Validate UUID without creating new UUID ([#141](https://github.com/google/uuid/issues/141)) ([9ee7366](https://github.com/google/uuid/commit/9ee7366e66c9ad96bab89139418a713dc584ae29)) - -## [1.4.0](https://github.com/google/uuid/compare/v1.3.1...v1.4.0) (2023-10-26) - - -### Features - -* UUIDs slice type with Strings() convenience method ([#133](https://github.com/google/uuid/issues/133)) ([cd5fbbd](https://github.com/google/uuid/commit/cd5fbbdd02f3e3467ac18940e07e062be1f864b4)) - -### Fixes - -* Clarify that Parse's job is to parse but not necessarily validate strings. (Documents current behavior) - -## [1.3.1](https://github.com/google/uuid/compare/v1.3.0...v1.3.1) (2023-08-18) - - -### Bug Fixes - -* Use .EqualFold() to parse urn prefixed UUIDs ([#118](https://github.com/google/uuid/issues/118)) ([574e687](https://github.com/google/uuid/commit/574e6874943741fb99d41764c705173ada5293f0)) - -## Changelog diff --git a/vendor/github.com/google/uuid/CONTRIBUTING.md b/vendor/github.com/google/uuid/CONTRIBUTING.md deleted file mode 100644 index a502fdc51..000000000 --- a/vendor/github.com/google/uuid/CONTRIBUTING.md +++ /dev/null @@ -1,26 +0,0 @@ -# How to contribute - -We definitely welcome patches and contribution to this project! - -### Tips - -Commits must be formatted according to the [Conventional Commits Specification](https://www.conventionalcommits.org). - -Always try to include a test case! If it is not possible or not necessary, -please explain why in the pull request description. - -### Releasing - -Commits that would precipitate a SemVer change, as described in the Conventional -Commits Specification, will trigger [`release-please`](https://github.com/google-github-actions/release-please-action) -to create a release candidate pull request. Once submitted, `release-please` -will create a release. - -For tips on how to work with `release-please`, see its documentation. - -### Legal requirements - -In order to protect both you and ourselves, you will need to sign the -[Contributor License Agreement](https://cla.developers.google.com/clas). - -You may have already signed it for other Google projects. diff --git a/vendor/github.com/google/uuid/CONTRIBUTORS b/vendor/github.com/google/uuid/CONTRIBUTORS deleted file mode 100644 index b4bb97f6b..000000000 --- a/vendor/github.com/google/uuid/CONTRIBUTORS +++ /dev/null @@ -1,9 +0,0 @@ -Paul Borman -bmatsuo -shawnps -theory -jboverfelt -dsymonds -cd1 -wallclockbuilder -dansouza diff --git a/vendor/github.com/google/uuid/LICENSE b/vendor/github.com/google/uuid/LICENSE deleted file mode 100644 index 5dc68268d..000000000 --- a/vendor/github.com/google/uuid/LICENSE +++ /dev/null @@ -1,27 +0,0 @@ -Copyright (c) 2009,2014 Google Inc. All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are -met: - - * Redistributions of source code must retain the above copyright -notice, this list of conditions and the following disclaimer. - * Redistributions in binary form must reproduce the above -copyright notice, this list of conditions and the following disclaimer -in the documentation and/or other materials provided with the -distribution. - * Neither the name of Google Inc. nor the names of its -contributors may be used to endorse or promote products derived from -this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/vendor/github.com/google/uuid/README.md b/vendor/github.com/google/uuid/README.md deleted file mode 100644 index 3e9a61889..000000000 --- a/vendor/github.com/google/uuid/README.md +++ /dev/null @@ -1,21 +0,0 @@ -# uuid -The uuid package generates and inspects UUIDs based on -[RFC 4122](https://datatracker.ietf.org/doc/html/rfc4122) -and DCE 1.1: Authentication and Security Services. - -This package is based on the github.com/pborman/uuid package (previously named -code.google.com/p/go-uuid). It differs from these earlier packages in that -a UUID is a 16 byte array rather than a byte slice. One loss due to this -change is the ability to represent an invalid UUID (vs a NIL UUID). - -###### Install -```sh -go get github.com/google/uuid -``` - -###### Documentation -[![Go Reference](https://pkg.go.dev/badge/github.com/google/uuid.svg)](https://pkg.go.dev/github.com/google/uuid) - -Full `go doc` style documentation for the package can be viewed online without -installing this package by using the GoDoc site here: -http://pkg.go.dev/github.com/google/uuid diff --git a/vendor/github.com/google/uuid/dce.go b/vendor/github.com/google/uuid/dce.go deleted file mode 100644 index fa820b9d3..000000000 --- a/vendor/github.com/google/uuid/dce.go +++ /dev/null @@ -1,80 +0,0 @@ -// Copyright 2016 Google Inc. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package uuid - -import ( - "encoding/binary" - "fmt" - "os" -) - -// A Domain represents a Version 2 domain -type Domain byte - -// Domain constants for DCE Security (Version 2) UUIDs. -const ( - Person = Domain(0) - Group = Domain(1) - Org = Domain(2) -) - -// NewDCESecurity returns a DCE Security (Version 2) UUID. -// -// The domain should be one of Person, Group or Org. -// On a POSIX system the id should be the users UID for the Person -// domain and the users GID for the Group. The meaning of id for -// the domain Org or on non-POSIX systems is site defined. -// -// For a given domain/id pair the same token may be returned for up to -// 7 minutes and 10 seconds. -func NewDCESecurity(domain Domain, id uint32) (UUID, error) { - uuid, err := NewUUID() - if err == nil { - uuid[6] = (uuid[6] & 0x0f) | 0x20 // Version 2 - uuid[9] = byte(domain) - binary.BigEndian.PutUint32(uuid[0:], id) - } - return uuid, err -} - -// NewDCEPerson returns a DCE Security (Version 2) UUID in the person -// domain with the id returned by os.Getuid. -// -// NewDCESecurity(Person, uint32(os.Getuid())) -func NewDCEPerson() (UUID, error) { - return NewDCESecurity(Person, uint32(os.Getuid())) -} - -// NewDCEGroup returns a DCE Security (Version 2) UUID in the group -// domain with the id returned by os.Getgid. -// -// NewDCESecurity(Group, uint32(os.Getgid())) -func NewDCEGroup() (UUID, error) { - return NewDCESecurity(Group, uint32(os.Getgid())) -} - -// Domain returns the domain for a Version 2 UUID. Domains are only defined -// for Version 2 UUIDs. -func (uuid UUID) Domain() Domain { - return Domain(uuid[9]) -} - -// ID returns the id for a Version 2 UUID. IDs are only defined for Version 2 -// UUIDs. -func (uuid UUID) ID() uint32 { - return binary.BigEndian.Uint32(uuid[0:4]) -} - -func (d Domain) String() string { - switch d { - case Person: - return "Person" - case Group: - return "Group" - case Org: - return "Org" - } - return fmt.Sprintf("Domain%d", int(d)) -} diff --git a/vendor/github.com/google/uuid/doc.go b/vendor/github.com/google/uuid/doc.go deleted file mode 100644 index 5b8a4b9af..000000000 --- a/vendor/github.com/google/uuid/doc.go +++ /dev/null @@ -1,12 +0,0 @@ -// Copyright 2016 Google Inc. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// Package uuid generates and inspects UUIDs. -// -// UUIDs are based on RFC 4122 and DCE 1.1: Authentication and Security -// Services. -// -// A UUID is a 16 byte (128 bit) array. UUIDs may be used as keys to -// maps or compared directly. -package uuid diff --git a/vendor/github.com/google/uuid/hash.go b/vendor/github.com/google/uuid/hash.go deleted file mode 100644 index dc60082d3..000000000 --- a/vendor/github.com/google/uuid/hash.go +++ /dev/null @@ -1,59 +0,0 @@ -// Copyright 2016 Google Inc. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package uuid - -import ( - "crypto/md5" - "crypto/sha1" - "hash" -) - -// Well known namespace IDs and UUIDs -var ( - NameSpaceDNS = Must(Parse("6ba7b810-9dad-11d1-80b4-00c04fd430c8")) - NameSpaceURL = Must(Parse("6ba7b811-9dad-11d1-80b4-00c04fd430c8")) - NameSpaceOID = Must(Parse("6ba7b812-9dad-11d1-80b4-00c04fd430c8")) - NameSpaceX500 = Must(Parse("6ba7b814-9dad-11d1-80b4-00c04fd430c8")) - Nil UUID // empty UUID, all zeros - - // The Max UUID is special form of UUID that is specified to have all 128 bits set to 1. - Max = UUID{ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - } -) - -// NewHash returns a new UUID derived from the hash of space concatenated with -// data generated by h. The hash should be at least 16 byte in length. The -// first 16 bytes of the hash are used to form the UUID. The version of the -// UUID will be the lower 4 bits of version. NewHash is used to implement -// NewMD5 and NewSHA1. -func NewHash(h hash.Hash, space UUID, data []byte, version int) UUID { - h.Reset() - h.Write(space[:]) //nolint:errcheck - h.Write(data) //nolint:errcheck - s := h.Sum(nil) - var uuid UUID - copy(uuid[:], s) - uuid[6] = (uuid[6] & 0x0f) | uint8((version&0xf)<<4) - uuid[8] = (uuid[8] & 0x3f) | 0x80 // RFC 4122 variant - return uuid -} - -// NewMD5 returns a new MD5 (Version 3) UUID based on the -// supplied name space and data. It is the same as calling: -// -// NewHash(md5.New(), space, data, 3) -func NewMD5(space UUID, data []byte) UUID { - return NewHash(md5.New(), space, data, 3) -} - -// NewSHA1 returns a new SHA1 (Version 5) UUID based on the -// supplied name space and data. It is the same as calling: -// -// NewHash(sha1.New(), space, data, 5) -func NewSHA1(space UUID, data []byte) UUID { - return NewHash(sha1.New(), space, data, 5) -} diff --git a/vendor/github.com/google/uuid/marshal.go b/vendor/github.com/google/uuid/marshal.go deleted file mode 100644 index 14bd34072..000000000 --- a/vendor/github.com/google/uuid/marshal.go +++ /dev/null @@ -1,38 +0,0 @@ -// Copyright 2016 Google Inc. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package uuid - -import "fmt" - -// MarshalText implements encoding.TextMarshaler. -func (uuid UUID) MarshalText() ([]byte, error) { - var js [36]byte - encodeHex(js[:], uuid) - return js[:], nil -} - -// UnmarshalText implements encoding.TextUnmarshaler. -func (uuid *UUID) UnmarshalText(data []byte) error { - id, err := ParseBytes(data) - if err != nil { - return err - } - *uuid = id - return nil -} - -// MarshalBinary implements encoding.BinaryMarshaler. -func (uuid UUID) MarshalBinary() ([]byte, error) { - return uuid[:], nil -} - -// UnmarshalBinary implements encoding.BinaryUnmarshaler. -func (uuid *UUID) UnmarshalBinary(data []byte) error { - if len(data) != 16 { - return fmt.Errorf("invalid UUID (got %d bytes)", len(data)) - } - copy(uuid[:], data) - return nil -} diff --git a/vendor/github.com/google/uuid/node.go b/vendor/github.com/google/uuid/node.go deleted file mode 100644 index d651a2b06..000000000 --- a/vendor/github.com/google/uuid/node.go +++ /dev/null @@ -1,90 +0,0 @@ -// Copyright 2016 Google Inc. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package uuid - -import ( - "sync" -) - -var ( - nodeMu sync.Mutex - ifname string // name of interface being used - nodeID [6]byte // hardware for version 1 UUIDs - zeroID [6]byte // nodeID with only 0's -) - -// NodeInterface returns the name of the interface from which the NodeID was -// derived. The interface "user" is returned if the NodeID was set by -// SetNodeID. -func NodeInterface() string { - defer nodeMu.Unlock() - nodeMu.Lock() - return ifname -} - -// SetNodeInterface selects the hardware address to be used for Version 1 UUIDs. -// If name is "" then the first usable interface found will be used or a random -// Node ID will be generated. If a named interface cannot be found then false -// is returned. -// -// SetNodeInterface never fails when name is "". -func SetNodeInterface(name string) bool { - defer nodeMu.Unlock() - nodeMu.Lock() - return setNodeInterface(name) -} - -func setNodeInterface(name string) bool { - iname, addr := getHardwareInterface(name) // null implementation for js - if iname != "" && addr != nil { - ifname = iname - copy(nodeID[:], addr) - return true - } - - // We found no interfaces with a valid hardware address. If name - // does not specify a specific interface generate a random Node ID - // (section 4.1.6) - if name == "" { - ifname = "random" - randomBits(nodeID[:]) - return true - } - return false -} - -// NodeID returns a slice of a copy of the current Node ID, setting the Node ID -// if not already set. -func NodeID() []byte { - defer nodeMu.Unlock() - nodeMu.Lock() - if nodeID == zeroID { - setNodeInterface("") - } - nid := nodeID - return nid[:] -} - -// SetNodeID sets the Node ID to be used for Version 1 UUIDs. The first 6 bytes -// of id are used. If id is less than 6 bytes then false is returned and the -// Node ID is not set. -func SetNodeID(id []byte) bool { - if len(id) < 6 { - return false - } - defer nodeMu.Unlock() - nodeMu.Lock() - copy(nodeID[:], id) - ifname = "user" - return true -} - -// NodeID returns the 6 byte node id encoded in uuid. It returns nil if uuid is -// not valid. The NodeID is only well defined for version 1 and 2 UUIDs. -func (uuid UUID) NodeID() []byte { - var node [6]byte - copy(node[:], uuid[10:]) - return node[:] -} diff --git a/vendor/github.com/google/uuid/node_js.go b/vendor/github.com/google/uuid/node_js.go deleted file mode 100644 index b2a0bc871..000000000 --- a/vendor/github.com/google/uuid/node_js.go +++ /dev/null @@ -1,12 +0,0 @@ -// Copyright 2017 Google Inc. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// +build js - -package uuid - -// getHardwareInterface returns nil values for the JS version of the code. -// This removes the "net" dependency, because it is not used in the browser. -// Using the "net" library inflates the size of the transpiled JS code by 673k bytes. -func getHardwareInterface(name string) (string, []byte) { return "", nil } diff --git a/vendor/github.com/google/uuid/node_net.go b/vendor/github.com/google/uuid/node_net.go deleted file mode 100644 index 0cbbcddbd..000000000 --- a/vendor/github.com/google/uuid/node_net.go +++ /dev/null @@ -1,33 +0,0 @@ -// Copyright 2017 Google Inc. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// +build !js - -package uuid - -import "net" - -var interfaces []net.Interface // cached list of interfaces - -// getHardwareInterface returns the name and hardware address of interface name. -// If name is "" then the name and hardware address of one of the system's -// interfaces is returned. If no interfaces are found (name does not exist or -// there are no interfaces) then "", nil is returned. -// -// Only addresses of at least 6 bytes are returned. -func getHardwareInterface(name string) (string, []byte) { - if interfaces == nil { - var err error - interfaces, err = net.Interfaces() - if err != nil { - return "", nil - } - } - for _, ifs := range interfaces { - if len(ifs.HardwareAddr) >= 6 && (name == "" || name == ifs.Name) { - return ifs.Name, ifs.HardwareAddr - } - } - return "", nil -} diff --git a/vendor/github.com/google/uuid/null.go b/vendor/github.com/google/uuid/null.go deleted file mode 100644 index d7fcbf286..000000000 --- a/vendor/github.com/google/uuid/null.go +++ /dev/null @@ -1,118 +0,0 @@ -// Copyright 2021 Google Inc. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package uuid - -import ( - "bytes" - "database/sql/driver" - "encoding/json" - "fmt" -) - -var jsonNull = []byte("null") - -// NullUUID represents a UUID that may be null. -// NullUUID implements the SQL driver.Scanner interface so -// it can be used as a scan destination: -// -// var u uuid.NullUUID -// err := db.QueryRow("SELECT name FROM foo WHERE id=?", id).Scan(&u) -// ... -// if u.Valid { -// // use u.UUID -// } else { -// // NULL value -// } -// -type NullUUID struct { - UUID UUID - Valid bool // Valid is true if UUID is not NULL -} - -// Scan implements the SQL driver.Scanner interface. -func (nu *NullUUID) Scan(value interface{}) error { - if value == nil { - nu.UUID, nu.Valid = Nil, false - return nil - } - - err := nu.UUID.Scan(value) - if err != nil { - nu.Valid = false - return err - } - - nu.Valid = true - return nil -} - -// Value implements the driver Valuer interface. -func (nu NullUUID) Value() (driver.Value, error) { - if !nu.Valid { - return nil, nil - } - // Delegate to UUID Value function - return nu.UUID.Value() -} - -// MarshalBinary implements encoding.BinaryMarshaler. -func (nu NullUUID) MarshalBinary() ([]byte, error) { - if nu.Valid { - return nu.UUID[:], nil - } - - return []byte(nil), nil -} - -// UnmarshalBinary implements encoding.BinaryUnmarshaler. -func (nu *NullUUID) UnmarshalBinary(data []byte) error { - if len(data) != 16 { - return fmt.Errorf("invalid UUID (got %d bytes)", len(data)) - } - copy(nu.UUID[:], data) - nu.Valid = true - return nil -} - -// MarshalText implements encoding.TextMarshaler. -func (nu NullUUID) MarshalText() ([]byte, error) { - if nu.Valid { - return nu.UUID.MarshalText() - } - - return jsonNull, nil -} - -// UnmarshalText implements encoding.TextUnmarshaler. -func (nu *NullUUID) UnmarshalText(data []byte) error { - id, err := ParseBytes(data) - if err != nil { - nu.Valid = false - return err - } - nu.UUID = id - nu.Valid = true - return nil -} - -// MarshalJSON implements json.Marshaler. -func (nu NullUUID) MarshalJSON() ([]byte, error) { - if nu.Valid { - return json.Marshal(nu.UUID) - } - - return jsonNull, nil -} - -// UnmarshalJSON implements json.Unmarshaler. -func (nu *NullUUID) UnmarshalJSON(data []byte) error { - if bytes.Equal(data, jsonNull) { - *nu = NullUUID{} - return nil // valid null UUID - } - err := json.Unmarshal(data, &nu.UUID) - nu.Valid = err == nil - return err -} diff --git a/vendor/github.com/google/uuid/sql.go b/vendor/github.com/google/uuid/sql.go deleted file mode 100644 index 2e02ec06c..000000000 --- a/vendor/github.com/google/uuid/sql.go +++ /dev/null @@ -1,59 +0,0 @@ -// Copyright 2016 Google Inc. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package uuid - -import ( - "database/sql/driver" - "fmt" -) - -// Scan implements sql.Scanner so UUIDs can be read from databases transparently. -// Currently, database types that map to string and []byte are supported. Please -// consult database-specific driver documentation for matching types. -func (uuid *UUID) Scan(src interface{}) error { - switch src := src.(type) { - case nil: - return nil - - case string: - // if an empty UUID comes from a table, we return a null UUID - if src == "" { - return nil - } - - // see Parse for required string format - u, err := Parse(src) - if err != nil { - return fmt.Errorf("Scan: %v", err) - } - - *uuid = u - - case []byte: - // if an empty UUID comes from a table, we return a null UUID - if len(src) == 0 { - return nil - } - - // assumes a simple slice of bytes if 16 bytes - // otherwise attempts to parse - if len(src) != 16 { - return uuid.Scan(string(src)) - } - copy((*uuid)[:], src) - - default: - return fmt.Errorf("Scan: unable to scan type %T into UUID", src) - } - - return nil -} - -// Value implements sql.Valuer so that UUIDs can be written to databases -// transparently. Currently, UUIDs map to strings. Please consult -// database-specific driver documentation for matching types. -func (uuid UUID) Value() (driver.Value, error) { - return uuid.String(), nil -} diff --git a/vendor/github.com/google/uuid/time.go b/vendor/github.com/google/uuid/time.go deleted file mode 100644 index c35112927..000000000 --- a/vendor/github.com/google/uuid/time.go +++ /dev/null @@ -1,134 +0,0 @@ -// Copyright 2016 Google Inc. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package uuid - -import ( - "encoding/binary" - "sync" - "time" -) - -// A Time represents a time as the number of 100's of nanoseconds since 15 Oct -// 1582. -type Time int64 - -const ( - lillian = 2299160 // Julian day of 15 Oct 1582 - unix = 2440587 // Julian day of 1 Jan 1970 - epoch = unix - lillian // Days between epochs - g1582 = epoch * 86400 // seconds between epochs - g1582ns100 = g1582 * 10000000 // 100s of a nanoseconds between epochs -) - -var ( - timeMu sync.Mutex - lasttime uint64 // last time we returned - clockSeq uint16 // clock sequence for this run - - timeNow = time.Now // for testing -) - -// UnixTime converts t the number of seconds and nanoseconds using the Unix -// epoch of 1 Jan 1970. -func (t Time) UnixTime() (sec, nsec int64) { - sec = int64(t - g1582ns100) - nsec = (sec % 10000000) * 100 - sec /= 10000000 - return sec, nsec -} - -// GetTime returns the current Time (100s of nanoseconds since 15 Oct 1582) and -// clock sequence as well as adjusting the clock sequence as needed. An error -// is returned if the current time cannot be determined. -func GetTime() (Time, uint16, error) { - defer timeMu.Unlock() - timeMu.Lock() - return getTime() -} - -func getTime() (Time, uint16, error) { - t := timeNow() - - // If we don't have a clock sequence already, set one. - if clockSeq == 0 { - setClockSequence(-1) - } - now := uint64(t.UnixNano()/100) + g1582ns100 - - // If time has gone backwards with this clock sequence then we - // increment the clock sequence - if now <= lasttime { - clockSeq = ((clockSeq + 1) & 0x3fff) | 0x8000 - } - lasttime = now - return Time(now), clockSeq, nil -} - -// ClockSequence returns the current clock sequence, generating one if not -// already set. The clock sequence is only used for Version 1 UUIDs. -// -// The uuid package does not use global static storage for the clock sequence or -// the last time a UUID was generated. Unless SetClockSequence is used, a new -// random clock sequence is generated the first time a clock sequence is -// requested by ClockSequence, GetTime, or NewUUID. (section 4.2.1.1) -func ClockSequence() int { - defer timeMu.Unlock() - timeMu.Lock() - return clockSequence() -} - -func clockSequence() int { - if clockSeq == 0 { - setClockSequence(-1) - } - return int(clockSeq & 0x3fff) -} - -// SetClockSequence sets the clock sequence to the lower 14 bits of seq. Setting to -// -1 causes a new sequence to be generated. -func SetClockSequence(seq int) { - defer timeMu.Unlock() - timeMu.Lock() - setClockSequence(seq) -} - -func setClockSequence(seq int) { - if seq == -1 { - var b [2]byte - randomBits(b[:]) // clock sequence - seq = int(b[0])<<8 | int(b[1]) - } - oldSeq := clockSeq - clockSeq = uint16(seq&0x3fff) | 0x8000 // Set our variant - if oldSeq != clockSeq { - lasttime = 0 - } -} - -// Time returns the time in 100s of nanoseconds since 15 Oct 1582 encoded in -// uuid. The time is only defined for version 1, 2, 6 and 7 UUIDs. -func (uuid UUID) Time() Time { - var t Time - switch uuid.Version() { - case 6: - time := binary.BigEndian.Uint64(uuid[:8]) // Ignore uuid[6] version b0110 - t = Time(time) - case 7: - time := binary.BigEndian.Uint64(uuid[:8]) - t = Time((time>>16)*10000 + g1582ns100) - default: // forward compatible - time := int64(binary.BigEndian.Uint32(uuid[0:4])) - time |= int64(binary.BigEndian.Uint16(uuid[4:6])) << 32 - time |= int64(binary.BigEndian.Uint16(uuid[6:8])&0xfff) << 48 - t = Time(time) - } - return t -} - -// ClockSequence returns the clock sequence encoded in uuid. -// The clock sequence is only well defined for version 1 and 2 UUIDs. -func (uuid UUID) ClockSequence() int { - return int(binary.BigEndian.Uint16(uuid[8:10])) & 0x3fff -} diff --git a/vendor/github.com/google/uuid/util.go b/vendor/github.com/google/uuid/util.go deleted file mode 100644 index 5ea6c7378..000000000 --- a/vendor/github.com/google/uuid/util.go +++ /dev/null @@ -1,43 +0,0 @@ -// Copyright 2016 Google Inc. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package uuid - -import ( - "io" -) - -// randomBits completely fills slice b with random data. -func randomBits(b []byte) { - if _, err := io.ReadFull(rander, b); err != nil { - panic(err.Error()) // rand should never fail - } -} - -// xvalues returns the value of a byte as a hexadecimal digit or 255. -var xvalues = [256]byte{ - 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, - 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, - 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, - 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 255, 255, 255, 255, 255, 255, - 255, 10, 11, 12, 13, 14, 15, 255, 255, 255, 255, 255, 255, 255, 255, 255, - 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, - 255, 10, 11, 12, 13, 14, 15, 255, 255, 255, 255, 255, 255, 255, 255, 255, - 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, - 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, - 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, - 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, - 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, - 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, - 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, - 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, - 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, -} - -// xtob converts hex characters x1 and x2 into a byte. -func xtob(x1, x2 byte) (byte, bool) { - b1 := xvalues[x1] - b2 := xvalues[x2] - return (b1 << 4) | b2, b1 != 255 && b2 != 255 -} diff --git a/vendor/github.com/google/uuid/uuid.go b/vendor/github.com/google/uuid/uuid.go deleted file mode 100644 index 5232b4867..000000000 --- a/vendor/github.com/google/uuid/uuid.go +++ /dev/null @@ -1,365 +0,0 @@ -// Copyright 2018 Google Inc. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package uuid - -import ( - "bytes" - "crypto/rand" - "encoding/hex" - "errors" - "fmt" - "io" - "strings" - "sync" -) - -// A UUID is a 128 bit (16 byte) Universal Unique IDentifier as defined in RFC -// 4122. -type UUID [16]byte - -// A Version represents a UUID's version. -type Version byte - -// A Variant represents a UUID's variant. -type Variant byte - -// Constants returned by Variant. -const ( - Invalid = Variant(iota) // Invalid UUID - RFC4122 // The variant specified in RFC4122 - Reserved // Reserved, NCS backward compatibility. - Microsoft // Reserved, Microsoft Corporation backward compatibility. - Future // Reserved for future definition. -) - -const randPoolSize = 16 * 16 - -var ( - rander = rand.Reader // random function - poolEnabled = false - poolMu sync.Mutex - poolPos = randPoolSize // protected with poolMu - pool [randPoolSize]byte // protected with poolMu -) - -type invalidLengthError struct{ len int } - -func (err invalidLengthError) Error() string { - return fmt.Sprintf("invalid UUID length: %d", err.len) -} - -// IsInvalidLengthError is matcher function for custom error invalidLengthError -func IsInvalidLengthError(err error) bool { - _, ok := err.(invalidLengthError) - return ok -} - -// Parse decodes s into a UUID or returns an error if it cannot be parsed. Both -// the standard UUID forms defined in RFC 4122 -// (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx and -// urn:uuid:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx) are decoded. In addition, -// Parse accepts non-standard strings such as the raw hex encoding -// xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx and 38 byte "Microsoft style" encodings, -// e.g. {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}. Only the middle 36 bytes are -// examined in the latter case. Parse should not be used to validate strings as -// it parses non-standard encodings as indicated above. -func Parse(s string) (UUID, error) { - var uuid UUID - switch len(s) { - // xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx - case 36: - - // urn:uuid:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx - case 36 + 9: - if !strings.EqualFold(s[:9], "urn:uuid:") { - return uuid, fmt.Errorf("invalid urn prefix: %q", s[:9]) - } - s = s[9:] - - // {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} - case 36 + 2: - s = s[1:] - - // xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx - case 32: - var ok bool - for i := range uuid { - uuid[i], ok = xtob(s[i*2], s[i*2+1]) - if !ok { - return uuid, errors.New("invalid UUID format") - } - } - return uuid, nil - default: - return uuid, invalidLengthError{len(s)} - } - // s is now at least 36 bytes long - // it must be of the form xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx - if s[8] != '-' || s[13] != '-' || s[18] != '-' || s[23] != '-' { - return uuid, errors.New("invalid UUID format") - } - for i, x := range [16]int{ - 0, 2, 4, 6, - 9, 11, - 14, 16, - 19, 21, - 24, 26, 28, 30, 32, 34, - } { - v, ok := xtob(s[x], s[x+1]) - if !ok { - return uuid, errors.New("invalid UUID format") - } - uuid[i] = v - } - return uuid, nil -} - -// ParseBytes is like Parse, except it parses a byte slice instead of a string. -func ParseBytes(b []byte) (UUID, error) { - var uuid UUID - switch len(b) { - case 36: // xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx - case 36 + 9: // urn:uuid:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx - if !bytes.EqualFold(b[:9], []byte("urn:uuid:")) { - return uuid, fmt.Errorf("invalid urn prefix: %q", b[:9]) - } - b = b[9:] - case 36 + 2: // {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} - b = b[1:] - case 32: // xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx - var ok bool - for i := 0; i < 32; i += 2 { - uuid[i/2], ok = xtob(b[i], b[i+1]) - if !ok { - return uuid, errors.New("invalid UUID format") - } - } - return uuid, nil - default: - return uuid, invalidLengthError{len(b)} - } - // s is now at least 36 bytes long - // it must be of the form xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx - if b[8] != '-' || b[13] != '-' || b[18] != '-' || b[23] != '-' { - return uuid, errors.New("invalid UUID format") - } - for i, x := range [16]int{ - 0, 2, 4, 6, - 9, 11, - 14, 16, - 19, 21, - 24, 26, 28, 30, 32, 34, - } { - v, ok := xtob(b[x], b[x+1]) - if !ok { - return uuid, errors.New("invalid UUID format") - } - uuid[i] = v - } - return uuid, nil -} - -// MustParse is like Parse but panics if the string cannot be parsed. -// It simplifies safe initialization of global variables holding compiled UUIDs. -func MustParse(s string) UUID { - uuid, err := Parse(s) - if err != nil { - panic(`uuid: Parse(` + s + `): ` + err.Error()) - } - return uuid -} - -// FromBytes creates a new UUID from a byte slice. Returns an error if the slice -// does not have a length of 16. The bytes are copied from the slice. -func FromBytes(b []byte) (uuid UUID, err error) { - err = uuid.UnmarshalBinary(b) - return uuid, err -} - -// Must returns uuid if err is nil and panics otherwise. -func Must(uuid UUID, err error) UUID { - if err != nil { - panic(err) - } - return uuid -} - -// Validate returns an error if s is not a properly formatted UUID in one of the following formats: -// xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx -// urn:uuid:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx -// xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx -// {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} -// It returns an error if the format is invalid, otherwise nil. -func Validate(s string) error { - switch len(s) { - // Standard UUID format - case 36: - - // UUID with "urn:uuid:" prefix - case 36 + 9: - if !strings.EqualFold(s[:9], "urn:uuid:") { - return fmt.Errorf("invalid urn prefix: %q", s[:9]) - } - s = s[9:] - - // UUID enclosed in braces - case 36 + 2: - if s[0] != '{' || s[len(s)-1] != '}' { - return fmt.Errorf("invalid bracketed UUID format") - } - s = s[1 : len(s)-1] - - // UUID without hyphens - case 32: - for i := 0; i < len(s); i += 2 { - _, ok := xtob(s[i], s[i+1]) - if !ok { - return errors.New("invalid UUID format") - } - } - - default: - return invalidLengthError{len(s)} - } - - // Check for standard UUID format - if len(s) == 36 { - if s[8] != '-' || s[13] != '-' || s[18] != '-' || s[23] != '-' { - return errors.New("invalid UUID format") - } - for _, x := range []int{0, 2, 4, 6, 9, 11, 14, 16, 19, 21, 24, 26, 28, 30, 32, 34} { - if _, ok := xtob(s[x], s[x+1]); !ok { - return errors.New("invalid UUID format") - } - } - } - - return nil -} - -// String returns the string form of uuid, xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx -// , or "" if uuid is invalid. -func (uuid UUID) String() string { - var buf [36]byte - encodeHex(buf[:], uuid) - return string(buf[:]) -} - -// URN returns the RFC 2141 URN form of uuid, -// urn:uuid:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx, or "" if uuid is invalid. -func (uuid UUID) URN() string { - var buf [36 + 9]byte - copy(buf[:], "urn:uuid:") - encodeHex(buf[9:], uuid) - return string(buf[:]) -} - -func encodeHex(dst []byte, uuid UUID) { - hex.Encode(dst, uuid[:4]) - dst[8] = '-' - hex.Encode(dst[9:13], uuid[4:6]) - dst[13] = '-' - hex.Encode(dst[14:18], uuid[6:8]) - dst[18] = '-' - hex.Encode(dst[19:23], uuid[8:10]) - dst[23] = '-' - hex.Encode(dst[24:], uuid[10:]) -} - -// Variant returns the variant encoded in uuid. -func (uuid UUID) Variant() Variant { - switch { - case (uuid[8] & 0xc0) == 0x80: - return RFC4122 - case (uuid[8] & 0xe0) == 0xc0: - return Microsoft - case (uuid[8] & 0xe0) == 0xe0: - return Future - default: - return Reserved - } -} - -// Version returns the version of uuid. -func (uuid UUID) Version() Version { - return Version(uuid[6] >> 4) -} - -func (v Version) String() string { - if v > 15 { - return fmt.Sprintf("BAD_VERSION_%d", v) - } - return fmt.Sprintf("VERSION_%d", v) -} - -func (v Variant) String() string { - switch v { - case RFC4122: - return "RFC4122" - case Reserved: - return "Reserved" - case Microsoft: - return "Microsoft" - case Future: - return "Future" - case Invalid: - return "Invalid" - } - return fmt.Sprintf("BadVariant%d", int(v)) -} - -// SetRand sets the random number generator to r, which implements io.Reader. -// If r.Read returns an error when the package requests random data then -// a panic will be issued. -// -// Calling SetRand with nil sets the random number generator to the default -// generator. -func SetRand(r io.Reader) { - if r == nil { - rander = rand.Reader - return - } - rander = r -} - -// EnableRandPool enables internal randomness pool used for Random -// (Version 4) UUID generation. The pool contains random bytes read from -// the random number generator on demand in batches. Enabling the pool -// may improve the UUID generation throughput significantly. -// -// Since the pool is stored on the Go heap, this feature may be a bad fit -// for security sensitive applications. -// -// Both EnableRandPool and DisableRandPool are not thread-safe and should -// only be called when there is no possibility that New or any other -// UUID Version 4 generation function will be called concurrently. -func EnableRandPool() { - poolEnabled = true -} - -// DisableRandPool disables the randomness pool if it was previously -// enabled with EnableRandPool. -// -// Both EnableRandPool and DisableRandPool are not thread-safe and should -// only be called when there is no possibility that New or any other -// UUID Version 4 generation function will be called concurrently. -func DisableRandPool() { - poolEnabled = false - defer poolMu.Unlock() - poolMu.Lock() - poolPos = randPoolSize -} - -// UUIDs is a slice of UUID types. -type UUIDs []UUID - -// Strings returns a string slice containing the string form of each UUID in uuids. -func (uuids UUIDs) Strings() []string { - var uuidStrs = make([]string, len(uuids)) - for i, uuid := range uuids { - uuidStrs[i] = uuid.String() - } - return uuidStrs -} diff --git a/vendor/github.com/google/uuid/version1.go b/vendor/github.com/google/uuid/version1.go deleted file mode 100644 index 463109629..000000000 --- a/vendor/github.com/google/uuid/version1.go +++ /dev/null @@ -1,44 +0,0 @@ -// Copyright 2016 Google Inc. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package uuid - -import ( - "encoding/binary" -) - -// NewUUID returns a Version 1 UUID based on the current NodeID and clock -// sequence, and the current time. If the NodeID has not been set by SetNodeID -// or SetNodeInterface then it will be set automatically. If the NodeID cannot -// be set NewUUID returns nil. If clock sequence has not been set by -// SetClockSequence then it will be set automatically. If GetTime fails to -// return the current NewUUID returns nil and an error. -// -// In most cases, New should be used. -func NewUUID() (UUID, error) { - var uuid UUID - now, seq, err := GetTime() - if err != nil { - return uuid, err - } - - timeLow := uint32(now & 0xffffffff) - timeMid := uint16((now >> 32) & 0xffff) - timeHi := uint16((now >> 48) & 0x0fff) - timeHi |= 0x1000 // Version 1 - - binary.BigEndian.PutUint32(uuid[0:], timeLow) - binary.BigEndian.PutUint16(uuid[4:], timeMid) - binary.BigEndian.PutUint16(uuid[6:], timeHi) - binary.BigEndian.PutUint16(uuid[8:], seq) - - nodeMu.Lock() - if nodeID == zeroID { - setNodeInterface("") - } - copy(uuid[10:], nodeID[:]) - nodeMu.Unlock() - - return uuid, nil -} diff --git a/vendor/github.com/google/uuid/version4.go b/vendor/github.com/google/uuid/version4.go deleted file mode 100644 index 7697802e4..000000000 --- a/vendor/github.com/google/uuid/version4.go +++ /dev/null @@ -1,76 +0,0 @@ -// Copyright 2016 Google Inc. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package uuid - -import "io" - -// New creates a new random UUID or panics. New is equivalent to -// the expression -// -// uuid.Must(uuid.NewRandom()) -func New() UUID { - return Must(NewRandom()) -} - -// NewString creates a new random UUID and returns it as a string or panics. -// NewString is equivalent to the expression -// -// uuid.New().String() -func NewString() string { - return Must(NewRandom()).String() -} - -// NewRandom returns a Random (Version 4) UUID. -// -// The strength of the UUIDs is based on the strength of the crypto/rand -// package. -// -// Uses the randomness pool if it was enabled with EnableRandPool. -// -// A note about uniqueness derived from the UUID Wikipedia entry: -// -// Randomly generated UUIDs have 122 random bits. One's annual risk of being -// hit by a meteorite is estimated to be one chance in 17 billion, that -// means the probability is about 0.00000000006 (6 × 10−11), -// equivalent to the odds of creating a few tens of trillions of UUIDs in a -// year and having one duplicate. -func NewRandom() (UUID, error) { - if !poolEnabled { - return NewRandomFromReader(rander) - } - return newRandomFromPool() -} - -// NewRandomFromReader returns a UUID based on bytes read from a given io.Reader. -func NewRandomFromReader(r io.Reader) (UUID, error) { - var uuid UUID - _, err := io.ReadFull(r, uuid[:]) - if err != nil { - return Nil, err - } - uuid[6] = (uuid[6] & 0x0f) | 0x40 // Version 4 - uuid[8] = (uuid[8] & 0x3f) | 0x80 // Variant is 10 - return uuid, nil -} - -func newRandomFromPool() (UUID, error) { - var uuid UUID - poolMu.Lock() - if poolPos == randPoolSize { - _, err := io.ReadFull(rander, pool[:]) - if err != nil { - poolMu.Unlock() - return Nil, err - } - poolPos = 0 - } - copy(uuid[:], pool[poolPos:(poolPos+16)]) - poolPos += 16 - poolMu.Unlock() - - uuid[6] = (uuid[6] & 0x0f) | 0x40 // Version 4 - uuid[8] = (uuid[8] & 0x3f) | 0x80 // Variant is 10 - return uuid, nil -} diff --git a/vendor/github.com/google/uuid/version6.go b/vendor/github.com/google/uuid/version6.go deleted file mode 100644 index 339a959a7..000000000 --- a/vendor/github.com/google/uuid/version6.go +++ /dev/null @@ -1,56 +0,0 @@ -// Copyright 2023 Google Inc. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package uuid - -import "encoding/binary" - -// UUID version 6 is a field-compatible version of UUIDv1, reordered for improved DB locality. -// It is expected that UUIDv6 will primarily be used in contexts where there are existing v1 UUIDs. -// Systems that do not involve legacy UUIDv1 SHOULD consider using UUIDv7 instead. -// -// see https://datatracker.ietf.org/doc/html/draft-peabody-dispatch-new-uuid-format-03#uuidv6 -// -// NewV6 returns a Version 6 UUID based on the current NodeID and clock -// sequence, and the current time. If the NodeID has not been set by SetNodeID -// or SetNodeInterface then it will be set automatically. If the NodeID cannot -// be set NewV6 set NodeID is random bits automatically . If clock sequence has not been set by -// SetClockSequence then it will be set automatically. If GetTime fails to -// return the current NewV6 returns Nil and an error. -func NewV6() (UUID, error) { - var uuid UUID - now, seq, err := GetTime() - if err != nil { - return uuid, err - } - - /* - 0 1 2 3 - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | time_high | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | time_mid | time_low_and_version | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - |clk_seq_hi_res | clk_seq_low | node (0-1) | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | node (2-5) | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - */ - - binary.BigEndian.PutUint64(uuid[0:], uint64(now)) - binary.BigEndian.PutUint16(uuid[8:], seq) - - uuid[6] = 0x60 | (uuid[6] & 0x0F) - uuid[8] = 0x80 | (uuid[8] & 0x3F) - - nodeMu.Lock() - if nodeID == zeroID { - setNodeInterface("") - } - copy(uuid[10:], nodeID[:]) - nodeMu.Unlock() - - return uuid, nil -} diff --git a/vendor/github.com/google/uuid/version7.go b/vendor/github.com/google/uuid/version7.go deleted file mode 100644 index 3167b643d..000000000 --- a/vendor/github.com/google/uuid/version7.go +++ /dev/null @@ -1,104 +0,0 @@ -// Copyright 2023 Google Inc. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package uuid - -import ( - "io" -) - -// UUID version 7 features a time-ordered value field derived from the widely -// implemented and well known Unix Epoch timestamp source, -// the number of milliseconds seconds since midnight 1 Jan 1970 UTC, leap seconds excluded. -// As well as improved entropy characteristics over versions 1 or 6. -// -// see https://datatracker.ietf.org/doc/html/draft-peabody-dispatch-new-uuid-format-03#name-uuid-version-7 -// -// Implementations SHOULD utilize UUID version 7 over UUID version 1 and 6 if possible. -// -// NewV7 returns a Version 7 UUID based on the current time(Unix Epoch). -// Uses the randomness pool if it was enabled with EnableRandPool. -// On error, NewV7 returns Nil and an error -func NewV7() (UUID, error) { - uuid, err := NewRandom() - if err != nil { - return uuid, err - } - makeV7(uuid[:]) - return uuid, nil -} - -// NewV7FromReader returns a Version 7 UUID based on the current time(Unix Epoch). -// it use NewRandomFromReader fill random bits. -// On error, NewV7FromReader returns Nil and an error. -func NewV7FromReader(r io.Reader) (UUID, error) { - uuid, err := NewRandomFromReader(r) - if err != nil { - return uuid, err - } - - makeV7(uuid[:]) - return uuid, nil -} - -// makeV7 fill 48 bits time (uuid[0] - uuid[5]), set version b0111 (uuid[6]) -// uuid[8] already has the right version number (Variant is 10) -// see function NewV7 and NewV7FromReader -func makeV7(uuid []byte) { - /* - 0 1 2 3 - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | unix_ts_ms | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | unix_ts_ms | ver | rand_a (12 bit seq) | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - |var| rand_b | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | rand_b | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - */ - _ = uuid[15] // bounds check - - t, s := getV7Time() - - uuid[0] = byte(t >> 40) - uuid[1] = byte(t >> 32) - uuid[2] = byte(t >> 24) - uuid[3] = byte(t >> 16) - uuid[4] = byte(t >> 8) - uuid[5] = byte(t) - - uuid[6] = 0x70 | (0x0F & byte(s>>8)) - uuid[7] = byte(s) -} - -// lastV7time is the last time we returned stored as: -// -// 52 bits of time in milliseconds since epoch -// 12 bits of (fractional nanoseconds) >> 8 -var lastV7time int64 - -const nanoPerMilli = 1000000 - -// getV7Time returns the time in milliseconds and nanoseconds / 256. -// The returned (milli << 12 + seq) is guarenteed to be greater than -// (milli << 12 + seq) returned by any previous call to getV7Time. -func getV7Time() (milli, seq int64) { - timeMu.Lock() - defer timeMu.Unlock() - - nano := timeNow().UnixNano() - milli = nano / nanoPerMilli - // Sequence number is between 0 and 3906 (nanoPerMilli>>8) - seq = (nano - milli*nanoPerMilli) >> 8 - now := milli<<12 + seq - if now <= lastV7time { - now = lastV7time + 1 - milli = now >> 12 - seq = now & 0xfff - } - lastV7time = now - return milli, seq -} diff --git a/vendor/github.com/spdx/tools-golang/LICENSE.code b/vendor/github.com/spdx/tools-golang/LICENSE.code new file mode 100644 index 000000000..07efb6292 --- /dev/null +++ b/vendor/github.com/spdx/tools-golang/LICENSE.code @@ -0,0 +1,550 @@ +The tools-golang source code is provided and may be used, at your option, +under either: +* Apache License, version 2.0 (Apache-2.0), OR +* GNU General Public License, version 2.0 or later (GPL-2.0-or-later). + +Copies of both licenses are included below. + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + += = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = + + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Lesser General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License along + with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) year name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, the commands you use may +be called something other than `show w' and `show c'; they could even be +mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + + , 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may +consider it more useful to permit linking proprietary applications with the +library. If this is what you want to do, use the GNU Lesser General +Public License instead of this License. diff --git a/vendor/github.com/spdx/tools-golang/LICENSE.docs b/vendor/github.com/spdx/tools-golang/LICENSE.docs new file mode 100644 index 000000000..2c8e93cbd --- /dev/null +++ b/vendor/github.com/spdx/tools-golang/LICENSE.docs @@ -0,0 +1,399 @@ +The tools-golang documentation is provided under the Creative Commons Attribution +4.0 International license (CC-BY-4.0), a copy of which is provided below. + +Attribution 4.0 International + +======================================================================= + +Creative Commons Corporation ("Creative Commons") is not a law firm and +does not provide legal services or legal advice. Distribution of +Creative Commons public licenses does not create a lawyer-client or +other relationship. Creative Commons makes its licenses and related +information available on an "as-is" basis. Creative Commons gives no +warranties regarding its licenses, any material licensed under their +terms and conditions, or any related information. Creative Commons +disclaims all liability for damages resulting from their use to the +fullest extent possible. + +Using Creative Commons Public Licenses + +Creative Commons public licenses provide a standard set of terms and +conditions that creators and other rights holders may use to share +original works of authorship and other material subject to copyright +and certain other rights specified in the public license below. The +following considerations are for informational purposes only, are not +exhaustive, and do not form part of our licenses. + + Considerations for licensors: Our public licenses are + intended for use by those authorized to give the public + permission to use material in ways otherwise restricted by + copyright and certain other rights. Our licenses are + irrevocable. Licensors should read and understand the terms + and conditions of the license they choose before applying it. + Licensors should also secure all rights necessary before + applying our licenses so that the public can reuse the + material as expected. Licensors should clearly mark any + material not subject to the license. This includes other CC- + licensed material, or material used under an exception or + limitation to copyright. More considerations for licensors: + wiki.creativecommons.org/Considerations_for_licensors + + Considerations for the public: By using one of our public + licenses, a licensor grants the public permission to use the + licensed material under specified terms and conditions. If + the licensor's permission is not necessary for any reason--for + example, because of any applicable exception or limitation to + copyright--then that use is not regulated by the license. Our + licenses grant only permissions under copyright and certain + other rights that a licensor has authority to grant. Use of + the licensed material may still be restricted for other + reasons, including because others have copyright or other + rights in the material. A licensor may make special requests, + such as asking that all changes be marked or described. + Although not required by our licenses, you are encouraged to + respect those requests where reasonable. More considerations + for the public: + wiki.creativecommons.org/Considerations_for_licensees + +======================================================================= + +Creative Commons Attribution 4.0 International Public License + +By exercising the Licensed Rights (defined below), You accept and agree +to be bound by the terms and conditions of this Creative Commons +Attribution 4.0 International Public License ("Public License"). To the +extent this Public License may be interpreted as a contract, You are +granted the Licensed Rights in consideration of Your acceptance of +these terms and conditions, and the Licensor grants You such rights in +consideration of benefits the Licensor receives from making the +Licensed Material available under these terms and conditions. + + +Section 1 -- Definitions. + + a. Adapted Material means material subject to Copyright and Similar + Rights that is derived from or based upon the Licensed Material + and in which the Licensed Material is translated, altered, + arranged, transformed, or otherwise modified in a manner requiring + permission under the Copyright and Similar Rights held by the + Licensor. For purposes of this Public License, where the Licensed + Material is a musical work, performance, or sound recording, + Adapted Material is always produced where the Licensed Material is + synched in timed relation with a moving image. + + b. Adapter's License means the license You apply to Your Copyright + and Similar Rights in Your contributions to Adapted Material in + accordance with the terms and conditions of this Public License. + + c. Copyright and Similar Rights means copyright and/or similar rights + closely related to copyright including, without limitation, + performance, broadcast, sound recording, and Sui Generis Database + Rights, without regard to how the rights are labeled or + categorized. For purposes of this Public License, the rights + specified in Section 2(b)(1)-(2) are not Copyright and Similar + Rights. + + d. Effective Technological Measures means those measures that, in the + absence of proper authority, may not be circumvented under laws + fulfilling obligations under Article 11 of the WIPO Copyright + Treaty adopted on December 20, 1996, and/or similar international + agreements. + + e. Exceptions and Limitations means fair use, fair dealing, and/or + any other exception or limitation to Copyright and Similar Rights + that applies to Your use of the Licensed Material. + + f. Licensed Material means the artistic or literary work, database, + or other material to which the Licensor applied this Public + License. + + g. Licensed Rights means the rights granted to You subject to the + terms and conditions of this Public License, which are limited to + all Copyright and Similar Rights that apply to Your use of the + Licensed Material and that the Licensor has authority to license. + + h. Licensor means the individual(s) or entity(ies) granting rights + under this Public License. + + i. Share means to provide material to the public by any means or + process that requires permission under the Licensed Rights, such + as reproduction, public display, public performance, distribution, + dissemination, communication, or importation, and to make material + available to the public including in ways that members of the + public may access the material from a place and at a time + individually chosen by them. + + j. Sui Generis Database Rights means rights other than copyright + resulting from Directive 96/9/EC of the European Parliament and of + the Council of 11 March 1996 on the legal protection of databases, + as amended and/or succeeded, as well as other essentially + equivalent rights anywhere in the world. + + k. You means the individual or entity exercising the Licensed Rights + under this Public License. Your has a corresponding meaning. + + +Section 2 -- Scope. + + a. License grant. + + 1. Subject to the terms and conditions of this Public License, + the Licensor hereby grants You a worldwide, royalty-free, + non-sublicensable, non-exclusive, irrevocable license to + exercise the Licensed Rights in the Licensed Material to: + + a. reproduce and Share the Licensed Material, in whole or + in part; and + + b. produce, reproduce, and Share Adapted Material. + + 2. Exceptions and Limitations. For the avoidance of doubt, where + Exceptions and Limitations apply to Your use, this Public + License does not apply, and You do not need to comply with + its terms and conditions. + + 3. Term. The term of this Public License is specified in Section + 6(a). + + 4. Media and formats; technical modifications allowed. The + Licensor authorizes You to exercise the Licensed Rights in + all media and formats whether now known or hereafter created, + and to make technical modifications necessary to do so. The + Licensor waives and/or agrees not to assert any right or + authority to forbid You from making technical modifications + necessary to exercise the Licensed Rights, including + technical modifications necessary to circumvent Effective + Technological Measures. For purposes of this Public License, + simply making modifications authorized by this Section 2(a) + (4) never produces Adapted Material. + + 5. Downstream recipients. + + a. Offer from the Licensor -- Licensed Material. Every + recipient of the Licensed Material automatically + receives an offer from the Licensor to exercise the + Licensed Rights under the terms and conditions of this + Public License. + + b. No downstream restrictions. You may not offer or impose + any additional or different terms or conditions on, or + apply any Effective Technological Measures to, the + Licensed Material if doing so restricts exercise of the + Licensed Rights by any recipient of the Licensed + Material. + + 6. No endorsement. Nothing in this Public License constitutes or + may be construed as permission to assert or imply that You + are, or that Your use of the Licensed Material is, connected + with, or sponsored, endorsed, or granted official status by, + the Licensor or others designated to receive attribution as + provided in Section 3(a)(1)(A)(i). + + b. Other rights. + + 1. Moral rights, such as the right of integrity, are not + licensed under this Public License, nor are publicity, + privacy, and/or other similar personality rights; however, to + the extent possible, the Licensor waives and/or agrees not to + assert any such rights held by the Licensor to the limited + extent necessary to allow You to exercise the Licensed + Rights, but not otherwise. + + 2. Patent and trademark rights are not licensed under this + Public License. + + 3. To the extent possible, the Licensor waives any right to + collect royalties from You for the exercise of the Licensed + Rights, whether directly or through a collecting society + under any voluntary or waivable statutory or compulsory + licensing scheme. In all other cases the Licensor expressly + reserves any right to collect such royalties. + + +Section 3 -- License Conditions. + +Your exercise of the Licensed Rights is expressly made subject to the +following conditions. + + a. Attribution. + + 1. If You Share the Licensed Material (including in modified + form), You must: + + a. retain the following if it is supplied by the Licensor + with the Licensed Material: + + i. identification of the creator(s) of the Licensed + Material and any others designated to receive + attribution, in any reasonable manner requested by + the Licensor (including by pseudonym if + designated); + + ii. a copyright notice; + + iii. a notice that refers to this Public License; + + iv. a notice that refers to the disclaimer of + warranties; + + v. a URI or hyperlink to the Licensed Material to the + extent reasonably practicable; + + b. indicate if You modified the Licensed Material and + retain an indication of any previous modifications; and + + c. indicate the Licensed Material is licensed under this + Public License, and include the text of, or the URI or + hyperlink to, this Public License. + + 2. You may satisfy the conditions in Section 3(a)(1) in any + reasonable manner based on the medium, means, and context in + which You Share the Licensed Material. For example, it may be + reasonable to satisfy the conditions by providing a URI or + hyperlink to a resource that includes the required + information. + + 3. If requested by the Licensor, You must remove any of the + information required by Section 3(a)(1)(A) to the extent + reasonably practicable. + + 4. If You Share Adapted Material You produce, the Adapter's + License You apply must not prevent recipients of the Adapted + Material from complying with this Public License. + + +Section 4 -- Sui Generis Database Rights. + +Where the Licensed Rights include Sui Generis Database Rights that +apply to Your use of the Licensed Material: + + a. for the avoidance of doubt, Section 2(a)(1) grants You the right + to extract, reuse, reproduce, and Share all or a substantial + portion of the contents of the database; + + b. if You include all or a substantial portion of the database + contents in a database in which You have Sui Generis Database + Rights, then the database in which You have Sui Generis Database + Rights (but not its individual contents) is Adapted Material; and + + c. You must comply with the conditions in Section 3(a) if You Share + all or a substantial portion of the contents of the database. + +For the avoidance of doubt, this Section 4 supplements and does not +replace Your obligations under this Public License where the Licensed +Rights include other Copyright and Similar Rights. + + +Section 5 -- Disclaimer of Warranties and Limitation of Liability. + + a. UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE + EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS + AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF + ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS, + IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION, + WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR + PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS, + ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT + KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT + ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU. + + b. TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE + TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, + NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT, + INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES, + COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR + USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN + ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR + DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR + IN PART, THIS LIMITATION MAY NOT APPLY TO YOU. + + c. The disclaimer of warranties and limitation of liability provided + above shall be interpreted in a manner that, to the extent + possible, most closely approximates an absolute disclaimer and + waiver of all liability. + + +Section 6 -- Term and Termination. + + a. This Public License applies for the term of the Copyright and + Similar Rights licensed here. However, if You fail to comply with + this Public License, then Your rights under this Public License + terminate automatically. + + b. Where Your right to use the Licensed Material has terminated under + Section 6(a), it reinstates: + + 1. automatically as of the date the violation is cured, provided + it is cured within 30 days of Your discovery of the + violation; or + + 2. upon express reinstatement by the Licensor. + + For the avoidance of doubt, this Section 6(b) does not affect any + right the Licensor may have to seek remedies for Your violations + of this Public License. + + c. For the avoidance of doubt, the Licensor may also offer the + Licensed Material under separate terms or conditions or stop + distributing the Licensed Material at any time; however, doing so + will not terminate this Public License. + + d. Sections 1, 5, 6, 7, and 8 survive termination of this Public + License. + + +Section 7 -- Other Terms and Conditions. + + a. The Licensor shall not be bound by any additional or different + terms or conditions communicated by You unless expressly agreed. + + b. Any arrangements, understandings, or agreements regarding the + Licensed Material not stated herein are separate from and + independent of the terms and conditions of this Public License. + + +Section 8 -- Interpretation. + + a. For the avoidance of doubt, this Public License does not, and + shall not be interpreted to, reduce, limit, restrict, or impose + conditions on any use of the Licensed Material that could lawfully + be made without permission under this Public License. + + b. To the extent possible, if any provision of this Public License is + deemed unenforceable, it shall be automatically reformed to the + minimum extent necessary to make it enforceable. If the provision + cannot be reformed, it shall be severed from this Public License + without affecting the enforceability of the remaining terms and + conditions. + + c. No term or condition of this Public License will be waived and no + failure to comply consented to unless expressly agreed to by the + Licensor. + + d. Nothing in this Public License constitutes or may be interpreted + as a limitation upon, or waiver of, any privileges and immunities + that apply to the Licensor or You, including from the legal + processes of any jurisdiction or authority. + + +======================================================================= + +Creative Commons is not a party to its public +licenses. Notwithstanding, Creative Commons may elect to apply one of +its public licenses to material it publishes and in those instances +will be considered the “Licensor.” The text of the Creative Commons +public licenses is dedicated to the public domain under the CC0 Public +Domain Dedication. Except for the limited purpose of indicating that +material is shared under a Creative Commons public license or as +otherwise permitted by the Creative Commons policies published at +creativecommons.org/policies, Creative Commons does not authorize the +use of the trademark "Creative Commons" or any other trademark or logo +of Creative Commons without its prior written consent including, +without limitation, in connection with any unauthorized modifications +to any of its public licenses or any other arrangements, +understandings, or agreements concerning use of licensed material. For +the avoidance of doubt, this paragraph does not form part of the +public licenses. + +Creative Commons may be contacted at creativecommons.org. + diff --git a/vendor/github.com/spdx/tools-golang/json/marshal/json.go b/vendor/github.com/spdx/tools-golang/json/marshal/json.go new file mode 100644 index 000000000..b5baefecc --- /dev/null +++ b/vendor/github.com/spdx/tools-golang/json/marshal/json.go @@ -0,0 +1,15 @@ +package marshal + +import ( + "bytes" + "encoding/json" +) + +// JSON marshals the object _without_ escaping HTML +func JSON(obj interface{}) ([]byte, error) { + buf := &bytes.Buffer{} + enc := json.NewEncoder(buf) + enc.SetEscapeHTML(false) + err := enc.Encode(obj) + return bytes.TrimSpace(buf.Bytes()), err +} diff --git a/vendor/github.com/spdx/tools-golang/spdx/model.go b/vendor/github.com/spdx/tools-golang/spdx/model.go new file mode 100644 index 000000000..e91856b0e --- /dev/null +++ b/vendor/github.com/spdx/tools-golang/spdx/model.go @@ -0,0 +1,133 @@ +// SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + +// Package spdx contains references to the latest spdx version +package spdx + +import ( + "github.com/spdx/tools-golang/spdx/v2/common" + latest "github.com/spdx/tools-golang/spdx/v2/v2_3" +) + +const ( + Version = latest.Version + DataLicense = latest.DataLicense +) + +type ( + Annotation = latest.Annotation + ArtifactOfProject = latest.ArtifactOfProject + CreationInfo = latest.CreationInfo + Document = latest.Document + ExternalDocumentRef = latest.ExternalDocumentRef + File = latest.File + OtherLicense = latest.OtherLicense + Package = latest.Package + PackageExternalReference = latest.PackageExternalReference + Relationship = latest.Relationship + Review = latest.Review + Snippet = latest.Snippet +) + +type ( + Annotator = common.Annotator + Checksum = common.Checksum + ChecksumAlgorithm = common.ChecksumAlgorithm + Creator = common.Creator + DocElementID = common.DocElementID + ElementID = common.ElementID + Originator = common.Originator + PackageVerificationCode = common.PackageVerificationCode + SnippetRange = common.SnippetRange + SnippetRangePointer = common.SnippetRangePointer + Supplier = common.Supplier +) + +const ( + SHA224 = common.SHA224 + SHA1 = common.SHA1 + SHA256 = common.SHA256 + SHA384 = common.SHA384 + SHA512 = common.SHA512 + MD2 = common.MD2 + MD4 = common.MD4 + MD5 = common.MD5 + MD6 = common.MD6 + SHA3_256 = common.SHA3_256 + SHA3_384 = common.SHA3_384 + SHA3_512 = common.SHA3_512 + BLAKE2b_256 = common.BLAKE2b_256 + BLAKE2b_384 = common.BLAKE2b_384 + BLAKE2b_512 = common.BLAKE2b_512 + BLAKE3 = common.BLAKE3 + ADLER32 = common.ADLER32 +) + +const ( + // F.2 Security types + CategorySecurity = common.CategorySecurity + SecurityCPE23Type = common.TypeSecurityCPE23Type + SecurityCPE22Type = common.TypeSecurityCPE22Type + SecurityAdvisory = common.TypeSecurityAdvisory + SecurityFix = common.TypeSecurityFix + SecurityUrl = common.TypeSecurityUrl + SecuritySwid = common.TypeSecuritySwid + + // F.3 Package-Manager types + CategoryPackageManager = common.CategoryPackageManager + PackageManagerMavenCentral = common.TypePackageManagerMavenCentral + PackageManagerNpm = common.TypePackageManagerNpm + PackageManagerNuGet = common.TypePackageManagerNuGet + PackageManagerBower = common.TypePackageManagerBower + PackageManagerPURL = common.TypePackageManagerPURL + + // F.4 Persistent-Id types + CategoryPersistentId = common.CategoryPersistentId + TypePersistentIdSwh = common.TypePersistentIdSwh + TypePersistentIdGitoid = common.TypePersistentIdGitoid + + // 11.1 Relationship field types + RelationshipDescribes = common.TypeRelationshipDescribe + RelationshipDescribedBy = common.TypeRelationshipDescribeBy + RelationshipContains = common.TypeRelationshipContains + RelationshipContainedBy = common.TypeRelationshipContainedBy + RelationshipDependsOn = common.TypeRelationshipDependsOn + RelationshipDependencyOf = common.TypeRelationshipDependencyOf + RelationshipBuildDependencyOf = common.TypeRelationshipBuildDependencyOf + RelationshipDevDependencyOf = common.TypeRelationshipDevDependencyOf + RelationshipOptionalDependencyOf = common.TypeRelationshipOptionalDependencyOf + RelationshipProvidedDependencyOf = common.TypeRelationshipProvidedDependencyOf + RelationshipTestDependencyOf = common.TypeRelationshipTestDependencyOf + RelationshipRuntimeDependencyOf = common.TypeRelationshipRuntimeDependencyOf + RelationshipExampleOf = common.TypeRelationshipExampleOf + RelationshipGenerates = common.TypeRelationshipGenerates + RelationshipGeneratedFrom = common.TypeRelationshipGeneratedFrom + RelationshipAncestorOf = common.TypeRelationshipAncestorOf + RelationshipDescendantOf = common.TypeRelationshipDescendantOf + RelationshipVariantOf = common.TypeRelationshipVariantOf + RelationshipDistributionArtifact = common.TypeRelationshipDistributionArtifact + RelationshipPatchFor = common.TypeRelationshipPatchFor + RelationshipPatchApplied = common.TypeRelationshipPatchApplied + RelationshipCopyOf = common.TypeRelationshipCopyOf + RelationshipFileAdded = common.TypeRelationshipFileAdded + RelationshipFileDeleted = common.TypeRelationshipFileDeleted + RelationshipFileModified = common.TypeRelationshipFileModified + RelationshipExpandedFromArchive = common.TypeRelationshipExpandedFromArchive + RelationshipDynamicLink = common.TypeRelationshipDynamicLink + RelationshipStaticLink = common.TypeRelationshipStaticLink + RelationshipDataFileOf = common.TypeRelationshipDataFileOf + RelationshipTestCaseOf = common.TypeRelationshipTestCaseOf + RelationshipBuildToolOf = common.TypeRelationshipBuildToolOf + RelationshipDevToolOf = common.TypeRelationshipDevToolOf + RelationshipTestOf = common.TypeRelationshipTestOf + RelationshipTestToolOf = common.TypeRelationshipTestToolOf + RelationshipDocumentationOf = common.TypeRelationshipDocumentationOf + RelationshipOptionalComponentOf = common.TypeRelationshipOptionalComponentOf + RelationshipMetafileOf = common.TypeRelationshipMetafileOf + RelationshipPackageOf = common.TypeRelationshipPackageOf + RelationshipAmends = common.TypeRelationshipAmends + RelationshipPrerequisiteFor = common.TypeRelationshipPrerequisiteFor + RelationshipHasPrerequisite = common.TypeRelationshipHasPrerequisite + RelationshipRequirementDescriptionFor = common.TypeRelationshipRequirementDescriptionFor + RelationshipSpecificationFor = common.TypeRelationshipSpecificationFor + RelationshipOther = common.TypeRelationshipOther +) diff --git a/vendor/github.com/spdx/tools-golang/spdx/v2/common/annotation.go b/vendor/github.com/spdx/tools-golang/spdx/v2/common/annotation.go new file mode 100644 index 000000000..645aa9249 --- /dev/null +++ b/vendor/github.com/spdx/tools-golang/spdx/v2/common/annotation.go @@ -0,0 +1,45 @@ +// SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + +package common + +import ( + "fmt" + "strings" + + "github.com/spdx/tools-golang/json/marshal" +) + +type Annotator struct { + Annotator string + // including AnnotatorType: one of "Person", "Organization" or "Tool" + AnnotatorType string +} + +// UnmarshalJSON takes an annotator in the typical one-line format and parses it into an Annotator struct. +// This function is also used when unmarshalling YAML +func (a *Annotator) UnmarshalJSON(data []byte) error { + // annotator will simply be a string + annotatorStr := string(data) + annotatorStr = strings.Trim(annotatorStr, "\"") + + annotatorFields := strings.SplitN(annotatorStr, ": ", 2) + + if len(annotatorFields) != 2 { + return fmt.Errorf("failed to parse Annotator '%s'", annotatorStr) + } + + a.AnnotatorType = annotatorFields[0] + a.Annotator = annotatorFields[1] + + return nil +} + +// MarshalJSON converts the receiver into a slice of bytes representing an Annotator in string form. +// This function is also used when marshalling to YAML +func (a Annotator) MarshalJSON() ([]byte, error) { + if a.Annotator != "" { + return marshal.JSON(fmt.Sprintf("%s: %s", a.AnnotatorType, a.Annotator)) + } + + return []byte{}, nil +} diff --git a/vendor/github.com/spdx/tools-golang/spdx/v2/common/checksum.go b/vendor/github.com/spdx/tools-golang/spdx/v2/common/checksum.go new file mode 100644 index 000000000..d4969ef84 --- /dev/null +++ b/vendor/github.com/spdx/tools-golang/spdx/v2/common/checksum.go @@ -0,0 +1,34 @@ +// SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + +package common + +// ChecksumAlgorithm represents the algorithm used to generate the file checksum in the Checksum struct. +type ChecksumAlgorithm string + +// The checksum algorithms mentioned in the spec https://spdx.github.io/spdx-spec/4-file-information/#44-file-checksum +const ( + SHA224 ChecksumAlgorithm = "SHA224" + SHA1 ChecksumAlgorithm = "SHA1" + SHA256 ChecksumAlgorithm = "SHA256" + SHA384 ChecksumAlgorithm = "SHA384" + SHA512 ChecksumAlgorithm = "SHA512" + MD2 ChecksumAlgorithm = "MD2" + MD4 ChecksumAlgorithm = "MD4" + MD5 ChecksumAlgorithm = "MD5" + MD6 ChecksumAlgorithm = "MD6" + SHA3_256 ChecksumAlgorithm = "SHA3-256" + SHA3_384 ChecksumAlgorithm = "SHA3-384" + SHA3_512 ChecksumAlgorithm = "SHA3-512" + BLAKE2b_256 ChecksumAlgorithm = "BLAKE2b-256" + BLAKE2b_384 ChecksumAlgorithm = "BLAKE2b-384" + BLAKE2b_512 ChecksumAlgorithm = "BLAKE2b-512" + BLAKE3 ChecksumAlgorithm = "BLAKE3" + ADLER32 ChecksumAlgorithm = "ADLER32" +) + +// Checksum provides a unique identifier to match analysis information on each specific file in a package. +// The Algorithm field describes the ChecksumAlgorithm used and the Value represents the file checksum +type Checksum struct { + Algorithm ChecksumAlgorithm `json:"algorithm"` + Value string `json:"checksumValue"` +} diff --git a/vendor/github.com/spdx/tools-golang/spdx/v2/common/creation_info.go b/vendor/github.com/spdx/tools-golang/spdx/v2/common/creation_info.go new file mode 100644 index 000000000..77b24ee0d --- /dev/null +++ b/vendor/github.com/spdx/tools-golang/spdx/v2/common/creation_info.go @@ -0,0 +1,45 @@ +// SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + +package common + +import ( + "fmt" + "strings" + + "github.com/spdx/tools-golang/json/marshal" +) + +// Creator is a wrapper around the Creator SPDX field. The SPDX field contains two values, which requires special +// handling in order to marshal/unmarshal it to/from Go data types. +type Creator struct { + Creator string + // CreatorType should be one of "Person", "Organization", or "Tool" + CreatorType string +} + +// UnmarshalJSON takes an annotator in the typical one-line format and parses it into a Creator struct. +// This function is also used when unmarshalling YAML +func (c *Creator) UnmarshalJSON(data []byte) error { + str := string(data) + str = strings.Trim(str, "\"") + fields := strings.SplitN(str, ": ", 2) + + if len(fields) != 2 { + return fmt.Errorf("failed to parse Creator '%s'", str) + } + + c.CreatorType = fields[0] + c.Creator = fields[1] + + return nil +} + +// MarshalJSON converts the receiver into a slice of bytes representing a Creator in string form. +// This function is also used with marshalling to YAML +func (c Creator) MarshalJSON() ([]byte, error) { + if c.Creator != "" { + return marshal.JSON(fmt.Sprintf("%s: %s", c.CreatorType, c.Creator)) + } + + return []byte{}, nil +} diff --git a/vendor/github.com/spdx/tools-golang/spdx/v2/common/external.go b/vendor/github.com/spdx/tools-golang/spdx/v2/common/external.go new file mode 100644 index 000000000..8344ac616 --- /dev/null +++ b/vendor/github.com/spdx/tools-golang/spdx/v2/common/external.go @@ -0,0 +1,74 @@ +// SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + +package common + +// Constants for various string types +const ( + + // F.2 Security types + CategorySecurity string = "SECURITY" + TypeSecurityCPE23Type string = "cpe23Type" + TypeSecurityCPE22Type string = "cpe22Type" + TypeSecurityAdvisory string = "advisory" + TypeSecurityFix string = "fix" + TypeSecurityUrl string = "url" + TypeSecuritySwid string = "swid" + + // F.3 Package-Manager types + CategoryPackageManager string = "PACKAGE-MANAGER" + TypePackageManagerMavenCentral string = "maven-central" + TypePackageManagerNpm string = "npm" + TypePackageManagerNuGet string = "nuget" + TypePackageManagerBower string = "bower" + TypePackageManagerPURL string = "purl" + // F.4 Persistent-Id types + CategoryPersistentId string = "PERSISTENT-ID" + TypePersistentIdSwh string = "swh" + TypePersistentIdGitoid string = "gitoid" + + // 11.1 Relationship field types + TypeRelationshipDescribe string = "DESCRIBES" + TypeRelationshipDescribeBy string = "DESCRIBED_BY" + TypeRelationshipContains string = "CONTAINS" + TypeRelationshipContainedBy string = "CONTAINED_BY" + TypeRelationshipDependsOn string = "DEPENDS_ON" + TypeRelationshipDependencyOf string = "DEPENDENCY_OF" + TypeRelationshipBuildDependencyOf string = "BUILD_DEPENDENCY_OF" + TypeRelationshipDevDependencyOf string = "DEV_DEPENDENCY_OF" + TypeRelationshipOptionalDependencyOf string = "OPTIONAL_DEPENDENCY_OF" + TypeRelationshipProvidedDependencyOf string = "PROVIDED_DEPENDENCY_OF" + TypeRelationshipTestDependencyOf string = "TEST_DEPENDENCY_OF" + TypeRelationshipRuntimeDependencyOf string = "RUNTIME_DEPENDENCY_OF" + TypeRelationshipExampleOf string = "EXAMPLE_OF" + TypeRelationshipGenerates string = "GENERATES" + TypeRelationshipGeneratedFrom string = "GENERATED_FROM" + TypeRelationshipAncestorOf string = "ANCESTOR_OF" + TypeRelationshipDescendantOf string = "DESCENDANT_OF" + TypeRelationshipVariantOf string = "VARIANT_OF" + TypeRelationshipDistributionArtifact string = "DISTRIBUTION_ARTIFACT" + TypeRelationshipPatchFor string = "PATCH_FOR" + TypeRelationshipPatchApplied string = "PATCH_APPLIED" + TypeRelationshipCopyOf string = "COPY_OF" + TypeRelationshipFileAdded string = "FILE_ADDED" + TypeRelationshipFileDeleted string = "FILE_DELETED" + TypeRelationshipFileModified string = "FILE_MODIFIED" + TypeRelationshipExpandedFromArchive string = "EXPANDED_FROM_ARCHIVE" + TypeRelationshipDynamicLink string = "DYNAMIC_LINK" + TypeRelationshipStaticLink string = "STATIC_LINK" + TypeRelationshipDataFileOf string = "DATA_FILE_OF" + TypeRelationshipTestCaseOf string = "TEST_CASE_OF" + TypeRelationshipBuildToolOf string = "BUILD_TOOL_OF" + TypeRelationshipDevToolOf string = "DEV_TOOL_OF" + TypeRelationshipTestOf string = "TEST_OF" + TypeRelationshipTestToolOf string = "TEST_TOOL_OF" + TypeRelationshipDocumentationOf string = "DOCUMENTATION_OF" + TypeRelationshipOptionalComponentOf string = "OPTIONAL_COMPONENT_OF" + TypeRelationshipMetafileOf string = "METAFILE_OF" + TypeRelationshipPackageOf string = "PACKAGE_OF" + TypeRelationshipAmends string = "AMENDS" + TypeRelationshipPrerequisiteFor string = "PREREQUISITE_FOR" + TypeRelationshipHasPrerequisite string = "HAS_PREREQUISITE" + TypeRelationshipRequirementDescriptionFor string = "REQUIREMENT_DESCRIPTION_FOR" + TypeRelationshipSpecificationFor string = "SPECIFICATION_FOR" + TypeRelationshipOther string = "OTHER" +) diff --git a/vendor/github.com/spdx/tools-golang/spdx/v2/common/identifier.go b/vendor/github.com/spdx/tools-golang/spdx/v2/common/identifier.go new file mode 100644 index 000000000..929e42fa4 --- /dev/null +++ b/vendor/github.com/spdx/tools-golang/spdx/v2/common/identifier.go @@ -0,0 +1,174 @@ +// SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + +package common + +import ( + "fmt" + "strings" + + "github.com/spdx/tools-golang/json/marshal" +) + +const ( + spdxRefPrefix = "SPDXRef-" + documentRefPrefix = "DocumentRef-" +) + +// ElementID represents the identifier string portion of an SPDX element +// identifier. DocElementID should be used for any attributes which can +// contain identifiers defined in a different SPDX document. +// ElementIDs should NOT contain the mandatory 'SPDXRef-' portion. +type ElementID string + +// MarshalJSON returns an SPDXRef- prefixed JSON string +func (d ElementID) MarshalJSON() ([]byte, error) { + return marshal.JSON(prefixElementId(d)) +} + +// UnmarshalJSON validates SPDXRef- prefixes and removes them when processing ElementIDs +func (d *ElementID) UnmarshalJSON(data []byte) error { + // SPDX identifier will simply be a string + idStr := string(data) + idStr = strings.Trim(idStr, "\"") + + e, err := trimElementIdPrefix(idStr) + if err != nil { + return err + } + *d = e + return nil +} + +// prefixElementId adds the SPDXRef- prefix to an element ID if it does not have one +func prefixElementId(id ElementID) string { + val := string(id) + if !strings.HasPrefix(val, spdxRefPrefix) { + return spdxRefPrefix + val + } + return val +} + +// trimElementIdPrefix removes the SPDXRef- prefix from an element ID string or returns an error if it +// does not start with SPDXRef- +func trimElementIdPrefix(id string) (ElementID, error) { + // handle SPDXRef- + idFields := strings.SplitN(id, spdxRefPrefix, 2) + if len(idFields) != 2 { + return "", fmt.Errorf("failed to parse SPDX identifier '%s'", id) + } + + e := ElementID(idFields[1]) + return e, nil +} + +// DocElementID represents an SPDX element identifier that could be defined +// in a different SPDX document, and therefore could have a "DocumentRef-" +// portion, such as Relationships and Annotations. +// ElementID is used for attributes in which a "DocumentRef-" portion cannot +// appear, such as a Package or File definition (since it is necessarily +// being defined in the present document). +// DocumentRefID will be the empty string for elements defined in the +// present document. +// DocElementIDs should NOT contain the mandatory 'DocumentRef-' or +// 'SPDXRef-' portions. +// SpecialID is used ONLY if the DocElementID matches a defined set of +// permitted special values for a particular field, e.g. "NONE" or +// "NOASSERTION" for the right-hand side of Relationships. If SpecialID +// is set, DocumentRefID and ElementRefID should be empty (and vice versa). +type DocElementID struct { + DocumentRefID string + ElementRefID ElementID + SpecialID string +} + +// MarshalJSON converts the receiver into a slice of bytes representing a DocElementID in string form. +// This function is also used when marshalling to YAML +func (d DocElementID) MarshalJSON() ([]byte, error) { + if d.DocumentRefID != "" && d.ElementRefID != "" { + idStr := prefixElementId(d.ElementRefID) + return marshal.JSON(fmt.Sprintf("%s%s:%s", documentRefPrefix, d.DocumentRefID, idStr)) + } else if d.ElementRefID != "" { + return marshal.JSON(prefixElementId(d.ElementRefID)) + } else if d.SpecialID != "" { + return marshal.JSON(d.SpecialID) + } + + return []byte{}, fmt.Errorf("failed to marshal empty DocElementID") +} + +// UnmarshalJSON takes a SPDX Identifier string parses it into a DocElementID struct. +// This function is also used when unmarshalling YAML +func (d *DocElementID) UnmarshalJSON(data []byte) (err error) { + // SPDX identifier will simply be a string + idStr := string(data) + idStr = strings.Trim(idStr, "\"") + + // handle special cases + if idStr == "NONE" || idStr == "NOASSERTION" { + d.SpecialID = idStr + return nil + } + + var idFields []string + // handle DocumentRef- if present + if strings.HasPrefix(idStr, documentRefPrefix) { + // strip out the "DocumentRef-" so we can get the value + idFields = strings.SplitN(idStr, documentRefPrefix, 2) + idStr = idFields[1] + + // an SPDXRef can appear after a DocumentRef, separated by a colon + idFields = strings.SplitN(idStr, ":", 2) + d.DocumentRefID = idFields[0] + + if len(idFields) == 2 { + idStr = idFields[1] + } else { + return nil + } + } + + d.ElementRefID, err = trimElementIdPrefix(idStr) + return err +} + +// TODO: add equivalents for LicenseRef- identifiers + +// MakeDocElementID takes strings (without prefixes) for the DocumentRef- +// and SPDXRef- identifiers, and returns a DocElementID. An empty string +// should be used for the DocumentRef- portion if it is referring to the +// present document. +func MakeDocElementID(docRef string, eltRef string) DocElementID { + return DocElementID{ + DocumentRefID: docRef, + ElementRefID: ElementID(eltRef), + } +} + +// MakeDocElementSpecial takes a "special" string (e.g. "NONE" or +// "NOASSERTION" for the right side of a Relationship), nd returns +// a DocElementID with it in the SpecialID field. Other fields will +// be empty. +func MakeDocElementSpecial(specialID string) DocElementID { + return DocElementID{SpecialID: specialID} +} + +// RenderElementID takes an ElementID and returns the string equivalent, +// with the SPDXRef- prefix reinserted. +func RenderElementID(eID ElementID) string { + return spdxRefPrefix + string(eID) +} + +// RenderDocElementID takes a DocElementID and returns the string equivalent, +// with the SPDXRef- prefix (and, if applicable, the DocumentRef- prefix) +// reinserted. If a SpecialID is present, it will be rendered verbatim and +// DocumentRefID and ElementRefID will be ignored. +func RenderDocElementID(deID DocElementID) string { + if deID.SpecialID != "" { + return deID.SpecialID + } + prefix := "" + if deID.DocumentRefID != "" { + prefix = documentRefPrefix + deID.DocumentRefID + ":" + } + return prefix + spdxRefPrefix + string(deID.ElementRefID) +} diff --git a/vendor/github.com/spdx/tools-golang/spdx/v2/common/package.go b/vendor/github.com/spdx/tools-golang/spdx/v2/common/package.go new file mode 100644 index 000000000..b9ee2c5cd --- /dev/null +++ b/vendor/github.com/spdx/tools-golang/spdx/v2/common/package.go @@ -0,0 +1,104 @@ +// SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + +package common + +import ( + "fmt" + "strings" + + "github.com/spdx/tools-golang/json/marshal" +) + +type Supplier struct { + // can be "NOASSERTION" + Supplier string + // SupplierType can be one of "Person", "Organization", or empty if Supplier is "NOASSERTION" + SupplierType string +} + +// UnmarshalJSON takes a supplier in the typical one-line format and parses it into a Supplier struct. +// This function is also used when unmarshalling YAML +func (s *Supplier) UnmarshalJSON(data []byte) error { + // the value is just a string presented as a slice of bytes + supplierStr := string(data) + supplierStr = strings.Trim(supplierStr, "\"") + + if supplierStr == "NOASSERTION" { + s.Supplier = supplierStr + return nil + } + + supplierFields := strings.SplitN(supplierStr, ": ", 2) + + if len(supplierFields) != 2 { + return fmt.Errorf("failed to parse Supplier '%s'", supplierStr) + } + + s.SupplierType = supplierFields[0] + s.Supplier = supplierFields[1] + + return nil +} + +// MarshalJSON converts the receiver into a slice of bytes representing a Supplier in string form. +// This function is also used when marshalling to YAML +func (s Supplier) MarshalJSON() ([]byte, error) { + if s.Supplier == "NOASSERTION" { + return marshal.JSON(s.Supplier) + } else if s.SupplierType != "" && s.Supplier != "" { + return marshal.JSON(fmt.Sprintf("%s: %s", s.SupplierType, s.Supplier)) + } + + return []byte{}, fmt.Errorf("failed to marshal invalid Supplier: %+v", s) +} + +type Originator struct { + // can be "NOASSERTION" + Originator string + // OriginatorType can be one of "Person", "Organization", or empty if Originator is "NOASSERTION" + OriginatorType string +} + +// UnmarshalJSON takes an originator in the typical one-line format and parses it into an Originator struct. +// This function is also used when unmarshalling YAML +func (o *Originator) UnmarshalJSON(data []byte) error { + // the value is just a string presented as a slice of bytes + originatorStr := string(data) + originatorStr = strings.Trim(originatorStr, "\"") + + if originatorStr == "NOASSERTION" { + o.Originator = originatorStr + return nil + } + + originatorFields := strings.SplitN(originatorStr, ":", 2) + if len(originatorFields) != 2 { + return fmt.Errorf("failed to parse Originator '%s'", originatorStr) + } + + o.OriginatorType = originatorFields[0] + o.Originator = strings.TrimLeft(originatorFields[1], " \t") + return nil +} + +// MarshalJSON converts the receiver into a slice of bytes representing an Originator in string form. +// This function is also used when marshalling to YAML +func (o Originator) MarshalJSON() ([]byte, error) { + if o.Originator == "NOASSERTION" { + return marshal.JSON(o.Originator) + } else if o.Originator != "" { + return marshal.JSON(fmt.Sprintf("%s: %s", o.OriginatorType, o.Originator)) + } + + return []byte{}, nil +} + +type PackageVerificationCode struct { + // Cardinality: mandatory, one if filesAnalyzed is true / omitted; + // zero (must be omitted) if filesAnalyzed is false + Value string `json:"packageVerificationCodeValue"` + // Spec also allows specifying files to exclude from the + // verification code algorithm; intended to enable exclusion of + // the SPDX document file itself. + ExcludedFiles []string `json:"packageVerificationCodeExcludedFiles,omitempty"` +} diff --git a/vendor/github.com/spdx/tools-golang/spdx/v2/common/snippet.go b/vendor/github.com/spdx/tools-golang/spdx/v2/common/snippet.go new file mode 100644 index 000000000..63afac3ba --- /dev/null +++ b/vendor/github.com/spdx/tools-golang/spdx/v2/common/snippet.go @@ -0,0 +1,20 @@ +// SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + +package common + +type SnippetRangePointer struct { + // 5.3: Snippet Byte Range: [start byte]:[end byte] + // Cardinality: mandatory, one + Offset int `json:"offset,omitempty"` + + // 5.4: Snippet Line Range: [start line]:[end line] + // Cardinality: optional, one + LineNumber int `json:"lineNumber,omitempty"` + + FileSPDXIdentifier ElementID `json:"reference"` +} + +type SnippetRange struct { + StartPointer SnippetRangePointer `json:"startPointer"` + EndPointer SnippetRangePointer `json:"endPointer"` +} diff --git a/vendor/github.com/spdx/tools-golang/spdx/v2/v2_3/annotation.go b/vendor/github.com/spdx/tools-golang/spdx/v2/v2_3/annotation.go new file mode 100644 index 000000000..338394cf6 --- /dev/null +++ b/vendor/github.com/spdx/tools-golang/spdx/v2/v2_3/annotation.go @@ -0,0 +1,31 @@ +// SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + +package v2_3 + +import ( + "github.com/spdx/tools-golang/spdx/v2/common" +) + +// Annotation is an Annotation section of an SPDX Document +type Annotation struct { + // 12.1: Annotator + // Cardinality: conditional (mandatory, one) if there is an Annotation + Annotator common.Annotator `json:"annotator"` + + // 12.2: Annotation Date: YYYY-MM-DDThh:mm:ssZ + // Cardinality: conditional (mandatory, one) if there is an Annotation + AnnotationDate string `json:"annotationDate"` + + // 12.3: Annotation Type: "REVIEW" or "OTHER" + // Cardinality: conditional (mandatory, one) if there is an Annotation + AnnotationType string `json:"annotationType"` + + // 12.4: SPDX Identifier Reference + // Cardinality: conditional (mandatory, one) if there is an Annotation + // This field is not used in hierarchical data formats where the referenced element is clear, such as JSON or YAML. + AnnotationSPDXIdentifier common.DocElementID `json:"-" yaml:"-"` + + // 12.5: Annotation Comment + // Cardinality: conditional (mandatory, one) if there is an Annotation + AnnotationComment string `json:"comment"` +} diff --git a/vendor/github.com/spdx/tools-golang/spdx/v2/v2_3/creation_info.go b/vendor/github.com/spdx/tools-golang/spdx/v2/v2_3/creation_info.go new file mode 100644 index 000000000..84d5bf082 --- /dev/null +++ b/vendor/github.com/spdx/tools-golang/spdx/v2/v2_3/creation_info.go @@ -0,0 +1,27 @@ +// SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + +package v2_3 + +import ( + "github.com/spdx/tools-golang/spdx/v2/common" +) + +// CreationInfo is a Document Creation Information section of an SPDX Document +type CreationInfo struct { + // 6.7: License List Version + // Cardinality: optional, one + LicenseListVersion string `json:"licenseListVersion,omitempty"` + + // 6.8: Creators: may have multiple keys for Person, Organization + // and/or Tool + // Cardinality: mandatory, one or many + Creators []common.Creator `json:"creators"` + + // 6.9: Created: data format YYYY-MM-DDThh:mm:ssZ + // Cardinality: mandatory, one + Created string `json:"created"` + + // 6.10: Creator Comment + // Cardinality: optional, one + CreatorComment string `json:"comment,omitempty"` +} diff --git a/vendor/github.com/spdx/tools-golang/spdx/v2/v2_3/document.go b/vendor/github.com/spdx/tools-golang/spdx/v2/v2_3/document.go new file mode 100644 index 000000000..7350192ae --- /dev/null +++ b/vendor/github.com/spdx/tools-golang/spdx/v2/v2_3/document.go @@ -0,0 +1,166 @@ +// Package v2_3 Package contains the struct definition for an SPDX Document +// and its constituent parts. +// SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later +package v2_3 + +import ( + "encoding/json" + "fmt" + + converter "github.com/anchore/go-struct-converter" + + "github.com/spdx/tools-golang/spdx/v2/common" +) + +const Version = "SPDX-2.3" +const DataLicense = "CC0-1.0" + +// ExternalDocumentRef is a reference to an external SPDX document as defined in section 6.6 +type ExternalDocumentRef struct { + // DocumentRefID is the ID string defined in the start of the + // reference. It should _not_ contain the "DocumentRef-" part + // of the mandatory ID string. + DocumentRefID string `json:"externalDocumentId"` + + // URI is the URI defined for the external document + URI string `json:"spdxDocument"` + + // Checksum is the actual hash data + Checksum common.Checksum `json:"checksum"` +} + +// Document is an SPDX Document: +// See https://spdx.github.io/spdx-spec/v2.3/document-creation-information +type Document struct { + // 6.1: SPDX Version; should be in the format "SPDX-" + // Cardinality: mandatory, one + SPDXVersion string `json:"spdxVersion"` + + // 6.2: Data License; should be "CC0-1.0" + // Cardinality: mandatory, one + DataLicense string `json:"dataLicense"` + + // 6.3: SPDX Identifier; should be "DOCUMENT" to represent + // mandatory identifier of SPDXRef-DOCUMENT + // Cardinality: mandatory, one + SPDXIdentifier common.ElementID `json:"SPDXID"` + + // 6.4: Document Name + // Cardinality: mandatory, one + DocumentName string `json:"name"` + + // 6.5: Document Namespace + // Cardinality: mandatory, one + DocumentNamespace string `json:"documentNamespace"` + + // 6.6: External Document References + // Cardinality: optional, one or many + ExternalDocumentReferences []ExternalDocumentRef `json:"externalDocumentRefs,omitempty"` + + // 6.11: Document Comment + // Cardinality: optional, one + DocumentComment string `json:"comment,omitempty"` + + CreationInfo *CreationInfo `json:"creationInfo"` + Packages []*Package `json:"packages,omitempty"` + Files []*File `json:"files,omitempty"` + OtherLicenses []*OtherLicense `json:"hasExtractedLicensingInfos,omitempty"` + Relationships []*Relationship `json:"relationships,omitempty"` + Annotations []*Annotation `json:"annotations,omitempty"` + Snippets []Snippet `json:"snippets,omitempty"` + + // DEPRECATED in version 2.0 of spec + Reviews []*Review `json:"-" yaml:"-"` +} + +func (d *Document) ConvertFrom(_ interface{}) error { + d.SPDXVersion = Version + return nil +} + +var _ converter.ConvertFrom = (*Document)(nil) + +func (d *Document) UnmarshalJSON(b []byte) error { + type doc Document + type extras struct { + DocumentDescribes []common.DocElementID `json:"documentDescribes"` + } + + var d2 doc + if err := json.Unmarshal(b, &d2); err != nil { + return err + } + + var e extras + if err := json.Unmarshal(b, &e); err != nil { + return err + } + + *d = Document(d2) + + relationshipExists := map[string]bool{} + serializeRel := func(r *Relationship) string { + refA := r.RefA + refB := r.RefB + rel := r.Relationship + + // we need to serialize the opposite for CONTAINED_BY and DESCRIBED_BY + // so that it will match when we try to de-duplicate during deserialization. + switch r.Relationship { + case common.TypeRelationshipContainedBy: + rel = common.TypeRelationshipContains + refA = r.RefB + refB = r.RefA + case common.TypeRelationshipDescribeBy: + rel = common.TypeRelationshipDescribe + refA = r.RefB + refB = r.RefA + } + return fmt.Sprintf("%v-%v->%v", common.RenderDocElementID(refA), rel, common.RenderDocElementID(refB)) + } + + // index current list of relationships to ensure no duplication + for _, r := range d.Relationships { + relationshipExists[serializeRel(r)] = true + } + + // build relationships for documentDescribes field + for _, id := range e.DocumentDescribes { + r := &Relationship{ + RefA: common.DocElementID{ + ElementRefID: d.SPDXIdentifier, + }, + RefB: id, + Relationship: common.TypeRelationshipDescribe, + } + + if !relationshipExists[serializeRel(r)] { + d.Relationships = append(d.Relationships, r) + relationshipExists[serializeRel(r)] = true + } + } + + // build relationships for package hasFiles field + // build relationships for package hasFiles field + for _, p := range d.Packages { + for _, f := range p.hasFiles { + r := &Relationship{ + RefA: common.DocElementID{ + ElementRefID: p.PackageSPDXIdentifier, + }, + RefB: f, + Relationship: common.TypeRelationshipContains, + } + if !relationshipExists[serializeRel(r)] { + d.Relationships = append(d.Relationships, r) + relationshipExists[serializeRel(r)] = true + } + } + + p.hasFiles = nil + } + + return nil +} + +var _ json.Unmarshaler = (*Document)(nil) diff --git a/vendor/github.com/spdx/tools-golang/spdx/v2/v2_3/file.go b/vendor/github.com/spdx/tools-golang/spdx/v2/v2_3/file.go new file mode 100644 index 000000000..9f8f28acd --- /dev/null +++ b/vendor/github.com/spdx/tools-golang/spdx/v2/v2_3/file.go @@ -0,0 +1,98 @@ +// SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + +package v2_3 + +import ( + "github.com/spdx/tools-golang/spdx/v2/common" +) + +// File is a File section of an SPDX Document +type File struct { + // 8.1: File Name + // Cardinality: mandatory, one + FileName string `json:"fileName"` + + // 8.2: File SPDX Identifier: "SPDXRef-[idstring]" + // Cardinality: mandatory, one + FileSPDXIdentifier common.ElementID `json:"SPDXID"` + + // 8.3: File Types + // Cardinality: optional, multiple + FileTypes []string `json:"fileTypes,omitempty"` + + // 8.4: File Checksum: may have keys for SHA1, SHA256, MD5, SHA3-256, SHA3-384, SHA3-512, BLAKE2b-256, BLAKE2b-384, BLAKE2b-512, BLAKE3, ADLER32 + // Cardinality: mandatory, one SHA1, others may be optionally provided + Checksums []common.Checksum `json:"checksums"` + + // 8.5: Concluded License: SPDX License Expression, "NONE" or "NOASSERTION" + // Cardinality: optional, one + LicenseConcluded string `json:"licenseConcluded,omitempty"` + + // 8.6: License Information in File: SPDX License Expression, "NONE" or "NOASSERTION" + // Cardinality: optional, one or many + LicenseInfoInFiles []string `json:"licenseInfoInFiles,omitempty"` + + // 8.7: Comments on License + // Cardinality: optional, one + LicenseComments string `json:"licenseComments,omitempty"` + + // 8.8: Copyright Text: copyright notice(s) text, "NONE" or "NOASSERTION" + // Cardinality: mandatory, one + FileCopyrightText string `json:"copyrightText"` + + // DEPRECATED in version 2.1 of spec + // 8.9-8.11: Artifact of Project variables (defined below) + // Cardinality: optional, one or many + ArtifactOfProjects []*ArtifactOfProject `json:"artifactOfs,omitempty"` + + // 8.12: File Comment + // Cardinality: optional, one + FileComment string `json:"comment,omitempty"` + + // 8.13: File Notice + // Cardinality: optional, one + FileNotice string `json:"noticeText,omitempty"` + + // 8.14: File Contributor + // Cardinality: optional, one or many + FileContributors []string `json:"fileContributors,omitempty"` + + // 8.15: File Attribution Text + // Cardinality: optional, one or many + FileAttributionTexts []string `json:"attributionTexts,omitempty"` + + // DEPRECATED in version 2.0 of spec + // 8.16: File Dependencies + // Cardinality: optional, one or many + FileDependencies []string `json:"fileDependencies,omitempty"` + + // Snippets contained in this File + // Note that Snippets could be defined in a different Document! However, + // the only ones that _THIS_ document can contain are this ones that are + // defined here -- so this should just be an ElementID. + Snippets map[common.ElementID]*Snippet `json:"-" yaml:"-"` + + Annotations []Annotation `json:"annotations,omitempty"` +} + +// ArtifactOfProject is a DEPRECATED collection of data regarding +// a Package, as defined in sections 8.9-8.11. +// NOTE: the JSON schema does not define the structure of this object: +// https://github.com/spdx/spdx-spec/blob/development/v2.3.1/schemas/spdx-schema.json#L480 +type ArtifactOfProject struct { + + // DEPRECATED in version 2.1 of spec + // 8.9: Artifact of Project Name + // Cardinality: conditional, required if present, one per AOP + Name string `json:"name"` + + // DEPRECATED in version 2.1 of spec + // 8.10: Artifact of Project Homepage: URL or "UNKNOWN" + // Cardinality: optional, one per AOP + HomePage string `json:"homePage"` + + // DEPRECATED in version 2.1 of spec + // 8.11: Artifact of Project Uniform Resource Identifier + // Cardinality: optional, one per AOP + URI string `json:"URI"` +} diff --git a/vendor/github.com/spdx/tools-golang/spdx/v2/v2_3/other_license.go b/vendor/github.com/spdx/tools-golang/spdx/v2/v2_3/other_license.go new file mode 100644 index 000000000..55971f42a --- /dev/null +++ b/vendor/github.com/spdx/tools-golang/spdx/v2/v2_3/other_license.go @@ -0,0 +1,30 @@ +// SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + +package v2_3 + +// OtherLicense is an Other License Information section of an SPDX Document +type OtherLicense struct { + // 10.1: License Identifier: "LicenseRef-[idstring]" + // Cardinality: conditional (mandatory, one) if license is not + // on SPDX License List + LicenseIdentifier string `json:"licenseId"` + + // 10.2: Extracted Text + // Cardinality: conditional (mandatory, one) if there is a + // License Identifier assigned + ExtractedText string `json:"extractedText"` + + // 10.3: License Name: single line of text or "NOASSERTION" + // Cardinality: conditional (mandatory, one) if license is not + // on SPDX License List + LicenseName string `json:"name,omitempty"` + + // 10.4: License Cross Reference + // Cardinality: conditional (optional, one or many) if license + // is not on SPDX License List + LicenseCrossReferences []string `json:"seeAlsos,omitempty"` + + // 10.5: License Comment + // Cardinality: optional, one + LicenseComment string `json:"comment,omitempty"` +} diff --git a/vendor/github.com/spdx/tools-golang/spdx/v2/v2_3/package.go b/vendor/github.com/spdx/tools-golang/spdx/v2/v2_3/package.go new file mode 100644 index 000000000..6488a7e8c --- /dev/null +++ b/vendor/github.com/spdx/tools-golang/spdx/v2/v2_3/package.go @@ -0,0 +1,222 @@ +// SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + +package v2_3 + +import ( + "encoding/json" + "strings" + + "github.com/spdx/tools-golang/json/marshal" + "github.com/spdx/tools-golang/spdx/v2/common" +) + +// Package is a Package section of an SPDX Document +type Package struct { + // NOT PART OF SPEC + // flag: does this "package" contain files that were in fact "unpackaged", + // e.g. included directly in the Document without being in a Package? + IsUnpackaged bool `json:"-" yaml:"-"` + + // 7.1: Package Name + // Cardinality: mandatory, one + PackageName string `json:"name"` + + // 7.2: Package SPDX Identifier: "SPDXRef-[idstring]" + // Cardinality: mandatory, one + PackageSPDXIdentifier common.ElementID `json:"SPDXID"` + + // 7.3: Package Version + // Cardinality: optional, one + PackageVersion string `json:"versionInfo,omitempty"` + + // 7.4: Package File Name + // Cardinality: optional, one + PackageFileName string `json:"packageFileName,omitempty"` + + // 7.5: Package Supplier: may have single result for either Person or Organization, + // or NOASSERTION + // Cardinality: optional, one + PackageSupplier *common.Supplier `json:"supplier,omitempty"` + + // 7.6: Package Originator: may have single result for either Person or Organization, + // or NOASSERTION + // Cardinality: optional, one + PackageOriginator *common.Originator `json:"originator,omitempty"` + + // 7.7: Package Download Location + // Cardinality: mandatory, one + PackageDownloadLocation string `json:"downloadLocation"` + + // 7.8: FilesAnalyzed + // Cardinality: optional, one; default value is "true" if omitted + FilesAnalyzed bool `json:"filesAnalyzed"` + // NOT PART OF SPEC: did FilesAnalyzed tag appear? + IsFilesAnalyzedTagPresent bool `json:"-" yaml:"-"` + + // 7.9: Package Verification Code + // Cardinality: if FilesAnalyzed == true must be present, if FilesAnalyzed == false must be omitted + PackageVerificationCode *common.PackageVerificationCode `json:"packageVerificationCode,omitempty"` + + // 7.10: Package Checksum: may have keys for SHA1, SHA256, SHA512, MD5, SHA3-256, SHA3-384, SHA3-512, BLAKE2b-256, BLAKE2b-384, BLAKE2b-512, BLAKE3, ADLER32 + // Cardinality: optional, one or many + PackageChecksums []common.Checksum `json:"checksums,omitempty"` + + // 7.11: Package Home Page + // Cardinality: optional, one + PackageHomePage string `json:"homepage,omitempty"` + + // 7.12: Source Information + // Cardinality: optional, one + PackageSourceInfo string `json:"sourceInfo,omitempty"` + + // 7.13: Concluded License: SPDX License Expression, "NONE" or "NOASSERTION" + // Cardinality: optional, one + PackageLicenseConcluded string `json:"licenseConcluded,omitempty"` + + // 7.14: All Licenses Info from Files: SPDX License Expression, "NONE" or "NOASSERTION" + // Cardinality: optional, one or many if filesAnalyzed is true / omitted; + // zero (must be omitted) if filesAnalyzed is false + PackageLicenseInfoFromFiles []string `json:"licenseInfoFromFiles,omitempty"` + + // 7.15: Declared License: SPDX License Expression, "NONE" or "NOASSERTION" + // Cardinality: optional, one + PackageLicenseDeclared string `json:"licenseDeclared,omitempty"` + + // 7.16: Comments on License + // Cardinality: optional, one + PackageLicenseComments string `json:"licenseComments,omitempty"` + + // 7.17: Copyright Text: copyright notice(s) text, "NONE" or "NOASSERTION" + // Cardinality: optional, zero or one + PackageCopyrightText string `json:"copyrightText,omitempty"` + + // 7.18: Package Summary Description + // Cardinality: optional, one + PackageSummary string `json:"summary,omitempty"` + + // 7.19: Package Detailed Description + // Cardinality: optional, one + PackageDescription string `json:"description,omitempty"` + + // 7.20: Package Comment + // Cardinality: optional, one + PackageComment string `json:"comment,omitempty"` + + // 7.21: Package External Reference + // Cardinality: optional, one or many + PackageExternalReferences []*PackageExternalReference `json:"externalRefs,omitempty"` + + // 7.22: Package External Reference Comment + // Cardinality: conditional (optional, one) for each External Reference + // contained within PackageExternalReference struct, if present + + // 7.23: Package Attribution Text + // Cardinality: optional, one or many + PackageAttributionTexts []string `json:"attributionTexts,omitempty"` + + // 7.24: Primary Package Purpose + // Cardinality: optional, one or many + // Allowed values: APPLICATION, FRAMEWORK, LIBRARY, CONTAINER, OPERATING-SYSTEM, DEVICE, FIRMWARE, SOURCE, ARCHIVE, FILE, INSTALL, OTHER + PrimaryPackagePurpose string `json:"primaryPackagePurpose,omitempty"` + + // 7.25: Release Date: YYYY-MM-DDThh:mm:ssZ + // Cardinality: optional, one + ReleaseDate string `json:"releaseDate,omitempty"` + + // 7.26: Build Date: YYYY-MM-DDThh:mm:ssZ + // Cardinality: optional, one + BuiltDate string `json:"builtDate,omitempty"` + + // 7.27: Valid Until Date: YYYY-MM-DDThh:mm:ssZ + // Cardinality: optional, one + ValidUntilDate string `json:"validUntilDate,omitempty"` + + // Files contained in this Package + Files []*File `json:"files,omitempty"` + + Annotations []Annotation `json:"annotations,omitempty"` + + // this field is only used when decoding JSON to translate the hasFiles + // property to relationships + hasFiles []common.DocElementID +} + +func (p *Package) UnmarshalJSON(b []byte) error { + type pkg Package + type extras struct { + HasFiles []common.DocElementID `json:"hasFiles"` + FilesAnalyzed *bool `json:"filesAnalyzed"` + } + + var p2 pkg + if err := json.Unmarshal(b, &p2); err != nil { + return err + } + + var e extras + if err := json.Unmarshal(b, &e); err != nil { + return err + } + + *p = Package(p2) + + p.hasFiles = e.HasFiles + + // FilesAnalyzed defaults to true if omitted + if e.FilesAnalyzed == nil { + p.FilesAnalyzed = true + } else { + p.IsFilesAnalyzedTagPresent = true + } + + return nil +} + +var _ json.Unmarshaler = (*Package)(nil) + +// PackageExternalReference is an External Reference to additional info +// about a Package, as defined in section 7.21 +type PackageExternalReference struct { + // category is "SECURITY", "PACKAGE-MANAGER" or "OTHER" + Category string `json:"referenceCategory"` + + // type is an [idstring] as defined in Appendix VI; + // called RefType here due to "type" being a Golang keyword + RefType string `json:"referenceType"` + + // locator is a unique string to access the package-specific + // info, metadata or content within the target location + Locator string `json:"referenceLocator"` + + // 7.22: Package External Reference Comment + // Cardinality: conditional (optional, one) for each External Reference + ExternalRefComment string `json:"comment,omitempty"` +} + +var _ json.Unmarshaler = (*PackageExternalReference)(nil) + +func (r *PackageExternalReference) UnmarshalJSON(b []byte) error { + type ref PackageExternalReference + var rr ref + if err := json.Unmarshal(b, &rr); err != nil { + return err + } + + rr.Category = strings.ReplaceAll(rr.Category, "_", "-") + + *r = PackageExternalReference(rr) + return nil +} + +var _ json.Marshaler = (*PackageExternalReference)(nil) + +func (r *PackageExternalReference) MarshalJSON() ([]byte, error) { + type ref PackageExternalReference + var rr ref + + rr = ref(*r) + + rr.Category = strings.ReplaceAll(rr.Category, "_", "-") + + return marshal.JSON(&rr) +} diff --git a/vendor/github.com/spdx/tools-golang/spdx/v2/v2_3/relationship.go b/vendor/github.com/spdx/tools-golang/spdx/v2/v2_3/relationship.go new file mode 100644 index 000000000..d5cd8d8ba --- /dev/null +++ b/vendor/github.com/spdx/tools-golang/spdx/v2/v2_3/relationship.go @@ -0,0 +1,24 @@ +// SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + +package v2_3 + +import ( + "github.com/spdx/tools-golang/spdx/v2/common" +) + +// Relationship is a Relationship section of an SPDX Document +type Relationship struct { + + // 11.1: Relationship + // Cardinality: optional, one or more; one per Relationship + // one mandatory for SPDX Document with multiple packages + // RefA and RefB are first and second item + // Relationship is type from 11.1.1 + RefA common.DocElementID `json:"spdxElementId"` + RefB common.DocElementID `json:"relatedSpdxElement"` + Relationship string `json:"relationshipType"` + + // 11.2: Relationship Comment + // Cardinality: optional, one + RelationshipComment string `json:"comment,omitempty"` +} diff --git a/vendor/github.com/spdx/tools-golang/spdx/v2/v2_3/review.go b/vendor/github.com/spdx/tools-golang/spdx/v2/v2_3/review.go new file mode 100644 index 000000000..cf1a1c71c --- /dev/null +++ b/vendor/github.com/spdx/tools-golang/spdx/v2/v2_3/review.go @@ -0,0 +1,25 @@ +// SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + +package v2_3 + +// Review is a Review section of an SPDX Document. +// DEPRECATED in version 2.0 of spec; retained here for compatibility. +type Review struct { + + // DEPRECATED in version 2.0 of spec + // 13.1: Reviewer + // Cardinality: optional, one + Reviewer string + // including AnnotatorType: one of "Person", "Organization" or "Tool" + ReviewerType string + + // DEPRECATED in version 2.0 of spec + // 13.2: Review Date: YYYY-MM-DDThh:mm:ssZ + // Cardinality: conditional (mandatory, one) if there is a Reviewer + ReviewDate string + + // DEPRECATED in version 2.0 of spec + // 13.3: Review Comment + // Cardinality: optional, one + ReviewComment string +} diff --git a/vendor/github.com/spdx/tools-golang/spdx/v2/v2_3/snippet.go b/vendor/github.com/spdx/tools-golang/spdx/v2/v2_3/snippet.go new file mode 100644 index 000000000..9c479d232 --- /dev/null +++ b/vendor/github.com/spdx/tools-golang/spdx/v2/v2_3/snippet.go @@ -0,0 +1,50 @@ +// SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + +package v2_3 + +import ( + "github.com/spdx/tools-golang/spdx/v2/common" +) + +// Snippet is a Snippet section of an SPDX Document +type Snippet struct { + + // 9.1: Snippet SPDX Identifier: "SPDXRef-[idstring]" + // Cardinality: mandatory, one + SnippetSPDXIdentifier common.ElementID `json:"SPDXID"` + + // 9.2: Snippet from File SPDX Identifier + // Cardinality: mandatory, one + SnippetFromFileSPDXIdentifier common.ElementID `json:"snippetFromFile"` + + // Ranges denotes the start/end byte offsets or line numbers that the snippet is relevant to + Ranges []common.SnippetRange `json:"ranges"` + + // 9.5: Snippet Concluded License: SPDX License Expression, "NONE" or "NOASSERTION" + // Cardinality: optional, one + SnippetLicenseConcluded string `json:"licenseConcluded,omitempty"` + + // 9.6: License Information in Snippet: SPDX License Expression, "NONE" or "NOASSERTION" + // Cardinality: optional, one or many + LicenseInfoInSnippet []string `json:"licenseInfoInSnippets,omitempty"` + + // 9.7: Snippet Comments on License + // Cardinality: optional, one + SnippetLicenseComments string `json:"licenseComments,omitempty"` + + // 9.8: Snippet Copyright Text: copyright notice(s) text, "NONE" or "NOASSERTION" + // Cardinality: mandatory, one + SnippetCopyrightText string `json:"copyrightText"` + + // 9.9: Snippet Comment + // Cardinality: optional, one + SnippetComment string `json:"comment,omitempty"` + + // 9.10: Snippet Name + // Cardinality: optional, one + SnippetName string `json:"name,omitempty"` + + // 9.11: Snippet Attribution Text + // Cardinality: optional, one or many + SnippetAttributionTexts []string `json:"-" yaml:"-"` +} diff --git a/vendor/modules.txt b/vendor/modules.txt index 433c1eb30..ba2a79f34 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -10,13 +10,14 @@ github.com/alicebob/miniredis/v2/hyperloglog github.com/alicebob/miniredis/v2/metro github.com/alicebob/miniredis/v2/server github.com/alicebob/miniredis/v2/size -# github.com/aquasecurity/trivy v0.50.0 +# github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 +## explicit; go 1.18 +github.com/anchore/go-struct-converter +# github.com/aquasecurity/trivy v0.49.1 ## explicit; go 1.21 github.com/aquasecurity/trivy/pkg/digest github.com/aquasecurity/trivy/pkg/fanal/types -github.com/aquasecurity/trivy/pkg/sbom/core github.com/aquasecurity/trivy/pkg/types -github.com/aquasecurity/trivy/pkg/uuid # github.com/aquasecurity/trivy-db v0.0.0-20231005141211-4fc651f7ac8d ## explicit; go 1.19 github.com/aquasecurity/trivy-db/pkg/types @@ -70,9 +71,6 @@ github.com/golang-migrate/migrate/v4/source/go_bindata ## explicit; go 1.18 github.com/google/go-containerregistry/pkg/v1 github.com/google/go-containerregistry/pkg/v1/types -# github.com/google/uuid v1.6.0 -## explicit -github.com/google/uuid # github.com/gophercloud/gophercloud v1.11.0 ## explicit; go 1.14 github.com/gophercloud/gophercloud @@ -202,6 +200,12 @@ github.com/sapcc/go-bits/sqlext # github.com/sergi/go-diff v1.3.1 ## explicit; go 1.12 github.com/sergi/go-diff/diffmatchpatch +# github.com/spdx/tools-golang v0.5.4-0.20231108154018-0c0f394b5e1a +## explicit; go 1.13 +github.com/spdx/tools-golang/json/marshal +github.com/spdx/tools-golang/spdx +github.com/spdx/tools-golang/spdx/v2/common +github.com/spdx/tools-golang/spdx/v2/v2_3 # github.com/spf13/cobra v1.8.0 ## explicit; go 1.15 github.com/spf13/cobra