-
Notifications
You must be signed in to change notification settings - Fork 578
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(cataloger): add a terraform provider cataloger #3378
base: main
Are you sure you want to change the base?
Conversation
The changes from this PR seem to work quite well for me. Below is the output of running syft output➜ syft git:(terraform-cataloger) go run ./cmd/syft/... scan file:../tf/.terraform.lock.hcl
✔ Indexed file system ../tf-sbom
✔ Cataloged contents dcdf16c165b58a86bb407ab8aa1c11edfd2a545b5ccc58fe60c82964f6f4d573
├── ✔ Packages [458 packages]
├── ✔ File digests [8 files]
├── ✔ File metadata [8 locations]
└── ✔ Executables [2 executables]
[0000] WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which
NAME VERSION TYPE
actions/checkout v4 github-action (+1 duplicate)
actions/stale v9 github-action
amannn/action-semantic-pull-request v5.5.3 github-action
bitbucket.org/creachadair/stringset v0.0.8 go-module
cel.dev/expr v0.15.0 go-module
cloud.google.com/go v0.115.1 go-module
cloud.google.com/go/auth v0.9.0 go-module
cloud.google.com/go/auth/oauth2adapt v0.2.4 go-module
cloud.google.com/go/bigtable v1.30.0 go-module
cloud.google.com/go/compute/metadata v0.5.0 go-module
cloud.google.com/go/iam v1.1.13 go-module
cloud.google.com/go/longrunning v0.5.12 go-module
cloud.google.com/go/monitoring v1.20.4 go-module
clowdhaus/terraform-composite-actions/directories v1.9.0 github-action
clowdhaus/terraform-composite-actions/pre-commit v1.11.1 github-action
clowdhaus/terraform-min-max v1.3.1 github-action
cycjimmy/semantic-release-action v4 github-action
dessant/lock-threads v5 github-action
github.com/GoogleCloudPlatform/declarative-resource-client-library v1.74.0 go-module
github.com/ProtonMail/go-crypto v1.1.0-alpha.2 go-module
github.com/ProtonMail/go-crypto v1.1.0-beta.0-proton go-module
github.com/YakDriver/go-version v0.1.0 go-module
github.com/YakDriver/regexache v0.24.0 go-module
github.com/agext/levenshtein v1.2.2 go-module
github.com/agext/levenshtein v1.2.3 go-module
github.com/apparentlymart/go-cidr v1.1.0 go-module
github.com/apparentlymart/go-textseg/v15 v15.0.0 go-module (+1 duplicate)
github.com/aws/aws-sdk-go v1.55.5 go-module
github.com/aws/aws-sdk-go-v2 v1.32.2 go-module
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.6 go-module
github.com/aws/aws-sdk-go-v2/config v1.27.43 go-module
github.com/aws/aws-sdk-go-v2/credentials v1.17.41 go-module
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.17 go-module
github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.32 go-module
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.21 go-module
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.21 go-module
github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 go-module
github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.21 go-module
github.com/aws/aws-sdk-go-v2/service/accessanalyzer v1.34.2 go-module
github.com/aws/aws-sdk-go-v2/service/account v1.21.2 go-module
github.com/aws/aws-sdk-go-v2/service/acm v1.30.2 go-module
github.com/aws/aws-sdk-go-v2/service/acmpca v1.37.3 go-module
github.com/aws/aws-sdk-go-v2/service/amp v1.29.3 go-module
github.com/aws/aws-sdk-go-v2/service/amplify v1.27.0 go-module
github.com/aws/aws-sdk-go-v2/service/apigateway v1.27.2 go-module
github.com/aws/aws-sdk-go-v2/service/apigatewayv2 v1.24.2 go-module
github.com/aws/aws-sdk-go-v2/service/appconfig v1.34.2 go-module
github.com/aws/aws-sdk-go-v2/service/appfabric v1.11.2 go-module
github.com/aws/aws-sdk-go-v2/service/appflow v1.45.3 go-module
github.com/aws/aws-sdk-go-v2/service/appintegrations v1.30.2 go-module
github.com/aws/aws-sdk-go-v2/service/applicationautoscaling v1.33.2 go-module
github.com/aws/aws-sdk-go-v2/service/applicationinsights v1.28.2 go-module
github.com/aws/aws-sdk-go-v2/service/applicationsignals v1.6.2 go-module
github.com/aws/aws-sdk-go-v2/service/appmesh v1.29.2 go-module
github.com/aws/aws-sdk-go-v2/service/apprunner v1.32.2 go-module
github.com/aws/aws-sdk-go-v2/service/appstream v1.41.2 go-module
github.com/aws/aws-sdk-go-v2/service/appsync v1.38.2 go-module
github.com/aws/aws-sdk-go-v2/service/athena v1.47.2 go-module
github.com/aws/aws-sdk-go-v2/service/auditmanager v1.37.2 go-module
github.com/aws/aws-sdk-go-v2/service/autoscaling v1.45.2 go-module
github.com/aws/aws-sdk-go-v2/service/autoscalingplans v1.24.2 go-module
github.com/aws/aws-sdk-go-v2/service/backup v1.39.3 go-module
github.com/aws/aws-sdk-go-v2/service/batch v1.46.2 go-module
github.com/aws/aws-sdk-go-v2/service/bcmdataexports v1.7.2 go-module
github.com/aws/aws-sdk-go-v2/service/bedrock v1.20.2 go-module
github.com/aws/aws-sdk-go-v2/service/bedrockagent v1.23.2 go-module
github.com/aws/aws-sdk-go-v2/service/budgets v1.28.2 go-module
github.com/aws/aws-sdk-go-v2/service/chatbot v1.8.2 go-module
github.com/aws/aws-sdk-go-v2/service/chime v1.34.2 go-module
github.com/aws/aws-sdk-go-v2/service/chimesdkmediapipelines v1.20.2 go-module
github.com/aws/aws-sdk-go-v2/service/chimesdkvoice v1.19.2 go-module
github.com/aws/aws-sdk-go-v2/service/cleanrooms v1.18.2 go-module
github.com/aws/aws-sdk-go-v2/service/cloud9 v1.28.2 go-module
github.com/aws/aws-sdk-go-v2/service/cloudcontrol v1.22.2 go-module
github.com/aws/aws-sdk-go-v2/service/cloudformation v1.55.3 go-module
github.com/aws/aws-sdk-go-v2/service/cloudfront v1.40.2 go-module
github.com/aws/aws-sdk-go-v2/service/cloudfrontkeyvaluestore v1.8.2 go-module
github.com/aws/aws-sdk-go-v2/service/cloudhsmv2 v1.27.2 go-module
github.com/aws/aws-sdk-go-v2/service/cloudsearch v1.26.2 go-module
github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.44.2 go-module
github.com/aws/aws-sdk-go-v2/service/cloudwatch v1.42.2 go-module
github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.41.2 go-module
github.com/aws/aws-sdk-go-v2/service/codeartifact v1.33.2 go-module
github.com/aws/aws-sdk-go-v2/service/codebuild v1.46.0 go-module
github.com/aws/aws-sdk-go-v2/service/codecatalyst v1.17.2 go-module
github.com/aws/aws-sdk-go-v2/service/codecommit v1.27.2 go-module
github.com/aws/aws-sdk-go-v2/service/codeconnections v1.5.2 go-module
github.com/aws/aws-sdk-go-v2/service/codedeploy v1.29.2 go-module
github.com/aws/aws-sdk-go-v2/service/codeguruprofiler v1.24.2 go-module
github.com/aws/aws-sdk-go-v2/service/codegurureviewer v1.29.2 go-module
github.com/aws/aws-sdk-go-v2/service/codepipeline v1.36.0 go-module
github.com/aws/aws-sdk-go-v2/service/codestarconnections v1.29.2 go-module
github.com/aws/aws-sdk-go-v2/service/codestarnotifications v1.26.2 go-module
github.com/aws/aws-sdk-go-v2/service/cognitoidentity v1.27.2 go-module
github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider v1.46.2 go-module
github.com/aws/aws-sdk-go-v2/service/comprehend v1.35.2 go-module
github.com/aws/aws-sdk-go-v2/service/computeoptimizer v1.39.2 go-module
github.com/aws/aws-sdk-go-v2/service/configservice v1.50.2 go-module
github.com/aws/aws-sdk-go-v2/service/connect v1.113.2 go-module
github.com/aws/aws-sdk-go-v2/service/connectcases v1.21.2 go-module
github.com/aws/aws-sdk-go-v2/service/controltower v1.18.2 go-module
github.com/aws/aws-sdk-go-v2/service/costandusagereportservice v1.28.2 go-module
github.com/aws/aws-sdk-go-v2/service/costexplorer v1.43.2 go-module
github.com/aws/aws-sdk-go-v2/service/costoptimizationhub v1.10.2 go-module
github.com/aws/aws-sdk-go-v2/service/customerprofiles v1.42.2 go-module
github.com/aws/aws-sdk-go-v2/service/databasemigrationservice v1.43.0 go-module
github.com/aws/aws-sdk-go-v2/service/databrew v1.33.2 go-module
github.com/aws/aws-sdk-go-v2/service/dataexchange v1.32.2 go-module
github.com/aws/aws-sdk-go-v2/service/datapipeline v1.25.2 go-module
github.com/aws/aws-sdk-go-v2/service/datasync v1.42.2 go-module
github.com/aws/aws-sdk-go-v2/service/datazone v1.22.2 go-module
github.com/aws/aws-sdk-go-v2/service/dax v1.23.2 go-module
github.com/aws/aws-sdk-go-v2/service/detective v1.31.2 go-module
github.com/aws/aws-sdk-go-v2/service/devicefarm v1.28.2 go-module
github.com/aws/aws-sdk-go-v2/service/devopsguru v1.34.2 go-module
github.com/aws/aws-sdk-go-v2/service/directconnect v1.29.2 go-module
github.com/aws/aws-sdk-go-v2/service/directoryservice v1.30.2 go-module
github.com/aws/aws-sdk-go-v2/service/dlm v1.28.2 go-module
github.com/aws/aws-sdk-go-v2/service/docdb v1.39.2 go-module
github.com/aws/aws-sdk-go-v2/service/docdbelastic v1.13.2 go-module
github.com/aws/aws-sdk-go-v2/service/drs v1.30.2 go-module
github.com/aws/aws-sdk-go-v2/service/dynamodb v1.36.2 go-module
github.com/aws/aws-sdk-go-v2/service/ec2 v1.182.0 go-module
github.com/aws/aws-sdk-go-v2/service/ecr v1.36.2 go-module
github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.27.2 go-module
github.com/aws/aws-sdk-go-v2/service/ecs v1.47.3 go-module
github.com/aws/aws-sdk-go-v2/service/efs v1.33.2 go-module
github.com/aws/aws-sdk-go-v2/service/eks v1.50.2 go-module
github.com/aws/aws-sdk-go-v2/service/elasticache v1.43.0 go-module
github.com/aws/aws-sdk-go-v2/service/elasticbeanstalk v1.28.2 go-module
github.com/aws/aws-sdk-go-v2/service/elasticloadbalancing v1.28.2 go-module
github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.40.0 go-module
github.com/aws/aws-sdk-go-v2/service/elasticsearchservice v1.32.2 go-module
github.com/aws/aws-sdk-go-v2/service/elastictranscoder v1.27.2 go-module
github.com/aws/aws-sdk-go-v2/service/emr v1.46.0 go-module
github.com/aws/aws-sdk-go-v2/service/emrcontainers v1.33.2 go-module
github.com/aws/aws-sdk-go-v2/service/emrserverless v1.26.2 go-module
github.com/aws/aws-sdk-go-v2/service/eventbridge v1.35.2 go-module
github.com/aws/aws-sdk-go-v2/service/evidently v1.23.2 go-module
github.com/aws/aws-sdk-go-v2/service/finspace v1.28.2 go-module
github.com/aws/aws-sdk-go-v2/service/firehose v1.34.2 go-module
github.com/aws/aws-sdk-go-v2/service/fis v1.30.2 go-module
github.com/aws/aws-sdk-go-v2/service/fms v1.37.2 go-module
github.com/aws/aws-sdk-go-v2/service/fsx v1.49.2 go-module
github.com/aws/aws-sdk-go-v2/service/gamelift v1.36.2 go-module
github.com/aws/aws-sdk-go-v2/service/glacier v1.26.2 go-module
github.com/aws/aws-sdk-go-v2/service/globalaccelerator v1.29.2 go-module
github.com/aws/aws-sdk-go-v2/service/glue v1.100.2 go-module
github.com/aws/aws-sdk-go-v2/service/grafana v1.26.2 go-module
github.com/aws/aws-sdk-go-v2/service/greengrass v1.27.2 go-module
github.com/aws/aws-sdk-go-v2/service/groundstation v1.31.2 go-module
github.com/aws/aws-sdk-go-v2/service/guardduty v1.50.0 go-module
github.com/aws/aws-sdk-go-v2/service/healthlake v1.28.2 go-module
github.com/aws/aws-sdk-go-v2/service/iam v1.37.2 go-module
github.com/aws/aws-sdk-go-v2/service/identitystore v1.27.2 go-module
github.com/aws/aws-sdk-go-v2/service/inspector v1.25.2 go-module
github.com/aws/aws-sdk-go-v2/service/inspector2 v1.32.2 go-module
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.0 go-module
github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.4.2 go-module
github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.10.2 go-module
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.2 go-module
github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.2 go-module
github.com/aws/aws-sdk-go-v2/service/internetmonitor v1.19.2 go-module
github.com/aws/aws-sdk-go-v2/service/iot v1.59.2 go-module
github.com/aws/aws-sdk-go-v2/service/iotanalytics v1.26.2 go-module
github.com/aws/aws-sdk-go-v2/service/iotevents v1.27.2 go-module
github.com/aws/aws-sdk-go-v2/service/ivs v1.41.0 go-module
github.com/aws/aws-sdk-go-v2/service/ivschat v1.16.2 go-module
github.com/aws/aws-sdk-go-v2/service/kafka v1.38.2 go-module
github.com/aws/aws-sdk-go-v2/service/kafkaconnect v1.21.2 go-module
github.com/aws/aws-sdk-go-v2/service/kendra v1.54.2 go-module
github.com/aws/aws-sdk-go-v2/service/keyspaces v1.14.2 go-module
github.com/aws/aws-sdk-go-v2/service/kinesis v1.32.2 go-module
github.com/aws/aws-sdk-go-v2/service/kinesisanalytics v1.25.2 go-module
github.com/aws/aws-sdk-go-v2/service/kinesisanalyticsv2 v1.31.2 go-module
github.com/aws/aws-sdk-go-v2/service/kinesisvideo v1.27.2 go-module
github.com/aws/aws-sdk-go-v2/service/kms v1.37.2 go-module
github.com/aws/aws-sdk-go-v2/service/lakeformation v1.37.2 go-module
github.com/aws/aws-sdk-go-v2/service/lambda v1.63.2 go-module
github.com/aws/aws-sdk-go-v2/service/launchwizard v1.8.2 go-module
github.com/aws/aws-sdk-go-v2/service/lexmodelbuildingservice v1.28.2 go-module
github.com/aws/aws-sdk-go-v2/service/lexmodelsv2 v1.49.2 go-module
github.com/aws/aws-sdk-go-v2/service/licensemanager v1.29.2 go-module
github.com/aws/aws-sdk-go-v2/service/lightsail v1.42.2 go-module
github.com/aws/aws-sdk-go-v2/service/location v1.42.2 go-module
github.com/aws/aws-sdk-go-v2/service/lookoutmetrics v1.31.2 go-module
github.com/aws/aws-sdk-go-v2/service/m2 v1.17.2 go-module
github.com/aws/aws-sdk-go-v2/service/macie2 v1.43.2 go-module
github.com/aws/aws-sdk-go-v2/service/mediaconnect v1.35.2 go-module
github.com/aws/aws-sdk-go-v2/service/mediaconvert v1.61.2 go-module
github.com/aws/aws-sdk-go-v2/service/medialive v1.62.2 go-module
github.com/aws/aws-sdk-go-v2/service/mediapackage v1.34.2 go-module
github.com/aws/aws-sdk-go-v2/service/mediapackagev2 v1.18.2 go-module
github.com/aws/aws-sdk-go-v2/service/mediastore v1.24.2 go-module
github.com/aws/aws-sdk-go-v2/service/memorydb v1.24.0 go-module
github.com/aws/aws-sdk-go-v2/service/mq v1.27.2 go-module
github.com/aws/aws-sdk-go-v2/service/mwaa v1.31.2 go-module
github.com/aws/aws-sdk-go-v2/service/neptune v1.35.2 go-module
github.com/aws/aws-sdk-go-v2/service/neptunegraph v1.14.0 go-module
github.com/aws/aws-sdk-go-v2/service/networkfirewall v1.43.2 go-module
github.com/aws/aws-sdk-go-v2/service/networkmanager v1.31.2 go-module
github.com/aws/aws-sdk-go-v2/service/networkmonitor v1.7.2 go-module
github.com/aws/aws-sdk-go-v2/service/oam v1.15.2 go-module
github.com/aws/aws-sdk-go-v2/service/opensearch v1.41.2 go-module
github.com/aws/aws-sdk-go-v2/service/opensearchserverless v1.16.2 go-module
github.com/aws/aws-sdk-go-v2/service/opsworks v1.26.2 go-module
github.com/aws/aws-sdk-go-v2/service/organizations v1.34.2 go-module
github.com/aws/aws-sdk-go-v2/service/osis v1.14.2 go-module
github.com/aws/aws-sdk-go-v2/service/outposts v1.45.0 go-module
github.com/aws/aws-sdk-go-v2/service/paymentcryptography v1.14.2 go-module
github.com/aws/aws-sdk-go-v2/service/pcaconnectorad v1.9.2 go-module
github.com/aws/aws-sdk-go-v2/service/pcs v1.2.2 go-module
github.com/aws/aws-sdk-go-v2/service/pinpoint v1.34.2 go-module
github.com/aws/aws-sdk-go-v2/service/pinpointsmsvoicev2 v1.15.2 go-module
github.com/aws/aws-sdk-go-v2/service/pipes v1.17.2 go-module
github.com/aws/aws-sdk-go-v2/service/polly v1.45.2 go-module
github.com/aws/aws-sdk-go-v2/service/pricing v1.32.2 go-module
github.com/aws/aws-sdk-go-v2/service/qbusiness v1.14.0 go-module
github.com/aws/aws-sdk-go-v2/service/qldb v1.25.2 go-module
github.com/aws/aws-sdk-go-v2/service/quicksight v1.76.2 go-module
github.com/aws/aws-sdk-go-v2/service/ram v1.29.2 go-module
github.com/aws/aws-sdk-go-v2/service/rbin v1.20.2 go-module
github.com/aws/aws-sdk-go-v2/service/rds v1.87.2 go-module
github.com/aws/aws-sdk-go-v2/service/redshift v1.50.0 go-module
github.com/aws/aws-sdk-go-v2/service/redshiftdata v1.30.2 go-module
github.com/aws/aws-sdk-go-v2/service/redshiftserverless v1.23.2 go-module
github.com/aws/aws-sdk-go-v2/service/rekognition v1.45.2 go-module
github.com/aws/aws-sdk-go-v2/service/resiliencehub v1.27.0 go-module
github.com/aws/aws-sdk-go-v2/service/resourceexplorer2 v1.15.3 go-module
github.com/aws/aws-sdk-go-v2/service/resourcegroups v1.27.2 go-module
github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi v1.25.2 go-module
github.com/aws/aws-sdk-go-v2/service/rolesanywhere v1.16.2 go-module
github.com/aws/aws-sdk-go-v2/service/route53 v1.45.2 go-module
github.com/aws/aws-sdk-go-v2/service/route53domains v1.27.2 go-module
github.com/aws/aws-sdk-go-v2/service/route53profiles v1.4.2 go-module
github.com/aws/aws-sdk-go-v2/service/route53recoverycontrolconfig v1.25.2 go-module
github.com/aws/aws-sdk-go-v2/service/route53recoveryreadiness v1.21.2 go-module
github.com/aws/aws-sdk-go-v2/service/route53resolver v1.33.0 go-module
github.com/aws/aws-sdk-go-v2/service/rum v1.21.2 go-module
github.com/aws/aws-sdk-go-v2/service/s3 v1.65.3 go-module
github.com/aws/aws-sdk-go-v2/service/s3control v1.49.2 go-module
github.com/aws/aws-sdk-go-v2/service/s3outposts v1.28.2 go-module
github.com/aws/aws-sdk-go-v2/service/sagemaker v1.163.2 go-module
github.com/aws/aws-sdk-go-v2/service/scheduler v1.12.2 go-module
github.com/aws/aws-sdk-go-v2/service/schemas v1.28.3 go-module
github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.2 go-module
github.com/aws/aws-sdk-go-v2/service/securityhub v1.54.2 go-module
github.com/aws/aws-sdk-go-v2/service/securitylake v1.19.0 go-module
github.com/aws/aws-sdk-go-v2/service/serverlessapplicationrepository v1.24.2 go-module
github.com/aws/aws-sdk-go-v2/service/servicecatalog v1.32.2 go-module
github.com/aws/aws-sdk-go-v2/service/servicecatalogappregistry v1.30.2 go-module
github.com/aws/aws-sdk-go-v2/service/servicediscovery v1.33.2 go-module
github.com/aws/aws-sdk-go-v2/service/servicequotas v1.25.2 go-module
github.com/aws/aws-sdk-go-v2/service/ses v1.28.2 go-module
github.com/aws/aws-sdk-go-v2/service/sesv2 v1.37.0 go-module
github.com/aws/aws-sdk-go-v2/service/sfn v1.33.2 go-module
github.com/aws/aws-sdk-go-v2/service/shield v1.29.2 go-module
github.com/aws/aws-sdk-go-v2/service/signer v1.26.2 go-module
github.com/aws/aws-sdk-go-v2/service/sns v1.33.2 go-module
github.com/aws/aws-sdk-go-v2/service/sqs v1.36.2 go-module
github.com/aws/aws-sdk-go-v2/service/ssm v1.55.2 go-module
github.com/aws/aws-sdk-go-v2/service/ssmcontacts v1.26.2 go-module
github.com/aws/aws-sdk-go-v2/service/ssmincidents v1.34.2 go-module
github.com/aws/aws-sdk-go-v2/service/ssmquicksetup v1.2.3 go-module
github.com/aws/aws-sdk-go-v2/service/ssmsap v1.18.2 go-module
github.com/aws/aws-sdk-go-v2/service/sso v1.24.2 go-module
github.com/aws/aws-sdk-go-v2/service/ssoadmin v1.29.2 go-module
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.2 go-module
github.com/aws/aws-sdk-go-v2/service/storagegateway v1.34.2 go-module
github.com/aws/aws-sdk-go-v2/service/sts v1.32.2 go-module
github.com/aws/aws-sdk-go-v2/service/swf v1.27.2 go-module
github.com/aws/aws-sdk-go-v2/service/synthetics v1.29.2 go-module
github.com/aws/aws-sdk-go-v2/service/timestreaminfluxdb v1.6.2 go-module
github.com/aws/aws-sdk-go-v2/service/timestreamwrite v1.29.2 go-module
github.com/aws/aws-sdk-go-v2/service/transcribe v1.41.2 go-module
github.com/aws/aws-sdk-go-v2/service/transfer v1.53.0 go-module
github.com/aws/aws-sdk-go-v2/service/verifiedpermissions v1.19.2 go-module
github.com/aws/aws-sdk-go-v2/service/vpclattice v1.12.2 go-module
github.com/aws/aws-sdk-go-v2/service/waf v1.25.2 go-module
github.com/aws/aws-sdk-go-v2/service/wafregional v1.25.2 go-module
github.com/aws/aws-sdk-go-v2/service/wafv2 v1.54.2 go-module
github.com/aws/aws-sdk-go-v2/service/wellarchitected v1.34.2 go-module
github.com/aws/aws-sdk-go-v2/service/worklink v1.23.2 go-module
github.com/aws/aws-sdk-go-v2/service/workspaces v1.48.2 go-module
github.com/aws/aws-sdk-go-v2/service/workspacesweb v1.24.2 go-module
github.com/aws/aws-sdk-go-v2/service/xray v1.29.2 go-module
github.com/aws/smithy-go v1.22.0 go-module
github.com/beevik/etree v1.4.1 go-module
github.com/cedar-policy/cedar-go v0.1.0 go-module
github.com/cenkalti/backoff v2.2.1+incompatible go-module
github.com/census-instrumentation/opencensus-proto v0.4.1 go-module
github.com/cespare/xxhash/v2 v2.3.0 go-module
github.com/cloudflare/circl v1.3.7 go-module
github.com/cloudflare/circl v1.4.0 go-module
github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b go-module
github.com/davecgh/go-spew v1.1.1 go-module (+1 duplicate)
github.com/envoyproxy/go-control-plane v0.12.0 go-module
github.com/envoyproxy/protoc-gen-validate v1.0.4 go-module
github.com/fatih/color v1.16.0 go-module
github.com/fatih/color v1.17.0 go-module
github.com/felixge/httpsnoop v1.0.4 go-module
github.com/gammazero/deque v0.0.0-20180920172122-f6adf94963e4 go-module
github.com/gammazero/workerpool v0.0.0-20181230203049-86a96b5d5d92 go-module
github.com/gdavison/terraform-plugin-log v0.0.0-20230928191232-6c653d8ef8fb go-module
github.com/gertd/go-pluralize v0.2.1 go-module
github.com/go-logr/logr v1.4.2 go-module (+1 duplicate)
github.com/go-logr/stdr v1.2.2 go-module (+1 duplicate)
github.com/golang/glog v1.2.1 go-module
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da go-module
github.com/golang/protobuf v1.5.4 go-module (+1 duplicate)
github.com/google/go-cmp v0.6.0 go-module (+1 duplicate)
github.com/google/go-cpy v0.0.0-20211218193943-a9c933c06932 go-module
github.com/google/s2a-go v0.1.8 go-module
github.com/google/uuid v1.6.0 go-module (+1 duplicate)
github.com/googleapis/enterprise-certificate-proxy v0.3.2 go-module
github.com/googleapis/gax-go/v2 v2.13.0 go-module
github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 go-module
github.com/hashicorp/aws-cloudformation-resource-schema-sdk-go v0.23.0 go-module
github.com/hashicorp/aws-sdk-go-base/v2 v2.0.0-beta.58 go-module
github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2 v2.0.0-beta.59 go-module
github.com/hashicorp/awspolicyequivalence v1.6.0 go-module
github.com/hashicorp/errwrap v1.0.0 go-module
github.com/hashicorp/errwrap v1.1.0 go-module
github.com/hashicorp/go-checkpoint v0.5.0 go-module (+1 duplicate)
github.com/hashicorp/go-cleanhttp v0.5.2 go-module (+1 duplicate)
github.com/hashicorp/go-cty v1.4.1-0.20200414143053-d3edf31b6320 go-module
github.com/hashicorp/go-cty v1.4.1-0.20200723130312-85980079f637 go-module
github.com/hashicorp/go-hclog v1.6.3 go-module (+1 duplicate)
github.com/hashicorp/go-multierror v1.1.1 go-module (+1 duplicate)
github.com/hashicorp/go-plugin v1.6.0 go-module
github.com/hashicorp/go-plugin v1.6.1 go-module
github.com/hashicorp/go-retryablehttp v0.7.7 go-module
github.com/hashicorp/go-uuid v1.0.3 go-module (+1 duplicate)
github.com/hashicorp/go-version v1.6.0 go-module
github.com/hashicorp/go-version v1.7.0 go-module
github.com/hashicorp/hc-install v0.6.4 go-module
github.com/hashicorp/hc-install v0.8.0 go-module
github.com/hashicorp/hcl/v2 v2.20.1 go-module
github.com/hashicorp/hcl/v2 v2.22.0 go-module
github.com/hashicorp/logutils v1.0.0 go-module (+1 duplicate)
github.com/hashicorp/terraform-exec v0.21.0 go-module (+1 duplicate)
github.com/hashicorp/terraform-json v0.22.1 go-module (+1 duplicate)
github.com/hashicorp/terraform-plugin-framework v1.12.0 go-module
github.com/hashicorp/terraform-plugin-framework v1.7.0 go-module
github.com/hashicorp/terraform-plugin-framework-jsontypes v0.2.0 go-module
github.com/hashicorp/terraform-plugin-framework-timeouts v0.4.1 go-module
github.com/hashicorp/terraform-plugin-framework-timetypes v0.5.0 go-module
github.com/hashicorp/terraform-plugin-framework-validators v0.13.0 go-module
github.com/hashicorp/terraform-plugin-framework-validators v0.9.0 go-module
github.com/hashicorp/terraform-plugin-go v0.23.0 go-module
github.com/hashicorp/terraform-plugin-go v0.24.0 go-module
github.com/hashicorp/terraform-plugin-log v0.9.0 go-module
github.com/hashicorp/terraform-plugin-mux v0.15.0 go-module
github.com/hashicorp/terraform-plugin-mux v0.16.0 go-module
github.com/hashicorp/terraform-plugin-sdk/v2 v2.33.0 go-module
github.com/hashicorp/terraform-plugin-sdk/v2 v2.34.0 go-module
github.com/hashicorp/terraform-plugin-testing v1.10.0 go-module
github.com/hashicorp/terraform-plugin-testing v1.5.1 go-module
github.com/hashicorp/terraform-provider-aws v5.72.1 go-module
github.com/hashicorp/terraform-provider-google v6.8.0 go-module
github.com/hashicorp/terraform-registry-address v0.2.3 go-module (+1 duplicate)
github.com/hashicorp/terraform-svchost v0.1.1 go-module (+1 duplicate)
github.com/hashicorp/yamux v0.1.1 go-module (+1 duplicate)
github.com/jmespath/go-jmespath v0.4.0 go-module
github.com/kylelemons/godebug v1.1.0 go-module
github.com/mattbaird/jsonpatch v0.0.0-20240118010651-0ba75a80ca38 go-module
github.com/mattn/go-colorable v0.1.13 go-module (+1 duplicate)
github.com/mattn/go-isatty v0.0.20 go-module (+1 duplicate)
github.com/mitchellh/copystructure v1.2.0 go-module (+1 duplicate)
github.com/mitchellh/go-homedir v1.1.0 go-module (+1 duplicate)
github.com/mitchellh/go-testing-interface v1.14.1 go-module (+1 duplicate)
github.com/mitchellh/go-wordwrap v1.0.0 go-module
github.com/mitchellh/go-wordwrap v1.0.1 go-module
github.com/mitchellh/hashstructure v1.1.0 go-module
github.com/mitchellh/mapstructure v1.5.0 go-module (+1 duplicate)
github.com/mitchellh/reflectwalk v1.0.2 go-module (+1 duplicate)
github.com/oklog/run v1.0.0 go-module
github.com/oklog/run v1.1.0 go-module
github.com/shopspring/decimal v1.4.0 go-module
github.com/sirupsen/logrus v1.8.1 go-module
github.com/vmihailenco/msgpack v4.0.4+incompatible go-module (+1 duplicate)
github.com/vmihailenco/msgpack/v5 v5.4.1 go-module (+1 duplicate)
github.com/vmihailenco/tagparser/v2 v2.0.0 go-module (+1 duplicate)
github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb go-module
github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 go-module
github.com/xeipuuv/gojsonschema v1.2.0 go-module
github.com/zclconf/go-cty v1.14.4 go-module
github.com/zclconf/go-cty v1.15.0 go-module
go.opencensus.io v0.24.0 go-module
go.opentelemetry.io/contrib/instrumentation/github.com/aws/aws-sdk-go-v2/otelaws v0.55.0 go-module
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.52.0 go-module
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 go-module
go.opentelemetry.io/otel v1.28.0 go-module
go.opentelemetry.io/otel v1.30.0 go-module
go.opentelemetry.io/otel/metric v1.28.0 go-module
go.opentelemetry.io/otel/metric v1.30.0 go-module
go.opentelemetry.io/otel/sdk v1.28.0 go-module
go.opentelemetry.io/otel/sdk/metric v1.28.0 go-module
go.opentelemetry.io/otel/trace v1.28.0 go-module
go.opentelemetry.io/otel/trace v1.30.0 go-module
go4.org/netipx v0.0.0-20231129151722-fdeea329fbba go-module
golang.org/x/crypto v0.26.0 go-module
golang.org/x/crypto v0.28.0 go-module
golang.org/x/exp v0.0.0-20240409090435-93d18d7e34b8 go-module
golang.org/x/mod v0.17.0 go-module
golang.org/x/mod v0.21.0 go-module
golang.org/x/net v0.28.0 go-module
golang.org/x/net v0.30.0 go-module
golang.org/x/oauth2 v0.22.0 go-module
golang.org/x/sync v0.8.0 go-module
golang.org/x/sys v0.24.0 go-module
golang.org/x/sys v0.26.0 go-module
golang.org/x/text v0.17.0 go-module
golang.org/x/text v0.19.0 go-module
golang.org/x/time v0.6.0 go-module
google.golang.org/api v0.193.0 go-module
google.golang.org/genproto v0.0.0-20240814211410-ddb44dafa142 go-module
google.golang.org/genproto/googleapis/api v0.0.0-20240814211410-ddb44dafa142 go-module
google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142 go-module
google.golang.org/genproto/googleapis/rpc v0.0.0-20240827150818-7e3bb234dfed go-module
google.golang.org/grpc v1.65.0 go-module
google.golang.org/grpc v1.66.2 go-module
google.golang.org/protobuf v1.34.2 go-module (+1 duplicate)
gopkg.in/yaml.v2 v2.4.0 go-module
registry.terraform.io/hashicorp/aws 5.72.1 terraform
registry.terraform.io/hashicorp/google 6.8.0 terraform
stdlib go1.21.13 go-module
stdlib go1.23.2 go-module Syft seems to correctly discover the go biniaries and the terraform provider dependencies. |
c17b018
to
7db9704
Compare
Oh, looks like I messed up with the metadata thus the CLI tests are failing. Will have a look at this later. |
@ghouscht! This is excellent thank you so much for the contribution and sorry for the delay in responding here - I'm about to take a look at this today and should have comments ready or just 🍏 the PR and try to get it into our next release. This is very well written and I am so grateful for the quality you put into it. I think my outstanding questions is cc @wagoodman on if we want this to be enabled by default in the dir source scan, container source, both, or none |
Thank you for the reply! Don't worry about the delay, it is not an issue. I'll keep an eye on the PR and will handle comments/suggestions asap 🙂 |
package pkg | ||
|
||
// TerraformLockEntry represents a single entry in a Terraform dependency lock file (.terraform.lock.hcl). | ||
type TerraformLockEntry struct { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is this intended to exclusively represent providers? or can it also describe modules? From the cataloger it seems like this would always be a provider, if so this should probably be TerraformProviderLockEntry
or similar
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
or another way to put it: does this lock file describe only providers? or can it describe other things too?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The lock file describes two different kinds of external dependencies:
- providers
- modules
See https://developer.hashicorp.com/terraform/language/files/dependency-lock for details. However the site also states:
At present, the dependency lock file tracks only provider dependencies.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Gotcha, after some thought, I think this should be TerraformLockProviderEntry
since there could be more entities to describe in the future and we want to be able to distinct them. This is also more accurate and helps the end user better understand what is being cataloged.
edit: actually, stepping back I'm changing my vote to stay only with directory scans as the lock file is not evidence of installed software, which is what we primarily search for in image scans. |
Licenses: pkg.NewLicenseSet(), // TODO: license could be found in .terraform/providers/${name}/${version}/${arch}/LICENSE.txt | ||
// TODO: Language? | ||
Type: pkg.TerraformPkg, | ||
// TODO: CPEs? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think we should generate CPEs for terraform providers quite yet, since it does not have a clear way to be paired up with NVD vulnerability data and that is the primary purpose for this. If there was an obviously correct way to make a bullet proof CPE from the terraform data then I'd say go for it now in this PR, but I don't think that's quite the case so I think the aforementioned point hints to leave it out for now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree 👍🏻
FoundBy: "terraform-cataloger", | ||
Locations: file.NewLocationSet(reader.Location.WithAnnotation(pkg.EvidenceAnnotationKey, pkg.PrimaryEvidenceAnnotation)), | ||
Licenses: pkg.NewLicenseSet(), // TODO: license could be found in .terraform/providers/${name}/${version}/${arch}/LICENSE.txt | ||
// TODO: Language? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
technically providers are written in go... is this just because it's easier to make a provider in go (since the SDK is provided officially only for go)? or are there unofficial non-go options available? I feel like this could use pkg.Golang
that we have today, but curious for thoughts here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See also: https://developer.hashicorp.com/terraform/plugin/best-practices/provider-code#other-languages
TL;DR: It is possible to write providers in other languages but there is no official SDK or even effort from Hashicorp to support you doing so.
So I'd say it is safe to say the language is pkg.Golang
Signed-off-by: Thomas Gosteli <[email protected]>
Signed-off-by: Thomas Gosteli <[email protected]>
Signed-off-by: Thomas Gosteli <[email protected]>
Signed-off-by: Thomas Gosteli <[email protected]>
Signed-off-by: Alex Goodman <[email protected]>
cb54927
to
2c97d5d
Compare
pushed some minor naming tweaks to the branch + rebased to account for merge conflicts |
8835e61
to
4483e79
Compare
just a heads up the latest commit is missing DCO signoff |
@@ -109,6 +109,7 @@ var jsonTypes = makeJSONTypes( | |||
jsonNamesWithoutLookup(pkg.RustBinaryAuditEntry{}, "rust-cargo-audit-entry", "RustCargoPackageMetadata"), // the legacy value is split into two types, where the other is preferred | |||
jsonNames(pkg.WordpressPluginEntry{}, "wordpress-plugin-entry", "WordpressMetadata"), | |||
jsonNames(pkg.LuaRocksPackage{}, "luarocks-package"), | |||
jsonNames(pkg.TerraformLockEntry{}, "terraform-lock-entry"), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
re: https://github.com/anchore/syft/pull/3378/files#r1854294491
this would also be terraform-lock-provider-entry
{ | ||
purl: "pkg:terraform/registry.terraform.io/hashicorp/[email protected]", | ||
expected: TerraformPkg, | ||
}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One inconsistency is that in the purl types documentation this purl type is reserved for modules, not providers:
terraform
for Terraform modules
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it might be that we include the cataloger with purls not populated for now until we have a better answer here... this this can at least merge with a follow up when we can get clarification about the purl type
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is just about ready to cross the finish line! Had a couple comments above, but all fairly small -- I didn't want to push those changes in case I'm wrong in my comments.
Description
I came across #2402 because of a recent discussion on reddit here and now made an implementation so syft is able to discover terraform provider dependencies.
I added a new cataloger, which reads terraform's lock file(s) and returns the gathered information on used providers to the overal SBOM.
I'm new to syft and this is my first contribution here so I might need some additional guidance how to continue from here.
Type of change
Checklist: