feat(elixir): emit dependency relationships from mix.lock#4985
Open
cgreeno wants to merge 2 commits into
Open
Conversation
The Elixir cataloger only catalogued packages from mix.lock; it discarded each entry's dependency list and emitted no relationships. This adds dependency-of relationships between locked packages, matching how other ecosystem catalogers (alpine, arch, debian, redhat, python) express the dependency graph via the shared dependency.Processor/Specifier mechanism. - ElixirMixLockEntry gains a Dependencies field (the names from the entry's dependency list — the 6th element of each mix.lock tuple). - parseMixLock extracts those names; the entry's own source tuple is skipped. - A mixLockDependencySpecifier declares Provides=[name], Requires=[deps] and is registered via dependency.Processor on the cataloger. - JSON schema bumped 16.1.4 -> 16.1.5 (additive: new optional field). Tests: unit tests for the extractor and specifier, and a cataloger-level test asserting the resolved dependency-of relationships. Signed-off-by: Chris Greeno <cgreeno@gmail.com>
Schema Change DetectionNew Schemas
|
Contributor
Author
|
⬆️ PR applying the same approach to Ruby |
Contributor
Author
|
@wagoodman - you appear to be the main owner? Sorry if I got the wrong end of the stick. --> Same approach on this PR #4986 |
Signed-off-by: Chris Greeno <cgreeno@gmail.com> # Conflicts: # internal/constants.go # schema/json/schema-16.1.5.json
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
TLDR
We are missing the ability to distinguish transitive/direct dependencies when running SBOM on our Elixir codebase. Followed the structure I found in other parts of the code base, going to add this for Elixir and Ruby. Link the ruby PR as well when I am done it.
Description
The Elixir cataloger catalogued packages from
mix.lockbut discarded each entry's dependency list, so it emitted no relationships. Everymix.lockentry already encodes its own dependencies (the 6th element of the entry tuple, e.g.{:cowlib, ...}, {:ranch, ...}), so the dependency graph is derivable from data already in the file... no new inputs required.This change emits
dependency-ofrelationships between locked packages, using the same shareddependency.Processor/Specifiermechanism that the alpine, arch, debian, redhat, and python catalogers already use to express their dependency graphs. It is purely additive: a new optional metadata field plus relationships; package cataloging itself is unchanged.Changeset:
syft/pkg/elixir.goDependencies []stringtoElixirMixLockEntrysyft/pkg/cataloger/elixir/parse_mix_lock.gosyft/pkg/cataloger/elixir/dependency.go(new)mixLockDependencySpecifierdeclaringProvides=[name],Requires=[deps]syft/pkg/cataloger/elixir/cataloger.godependency.Processor(mixLockDependencySpecifier)internal/constants.go16.1.4 → 16.1.5schema/json/schema-16.1.5.json(new) +schema-latest.jsondependency_test.go(new),parse_mix_lock_test.go,cataloger_test.go+ fixtureSchema: bumped
16.1.4 → 16.1.5additive only (a new optionaldependenciesfield onElixirMixLockEntry), compatible with all historical data per the SchemaVerADDITIONrule.Type of change: New feature (non-breaking) adds relationship data without altering existing package output.