From b9b7fa88721d460aba921e7059e3e0f018d0c248 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 14 Jul 2023 16:28:36 +0000 Subject: [PATCH] Bump github.com/sylabs/sif/v2 from 2.7.0 to 2.8.1 Bumps [github.com/sylabs/sif/v2](https://github.com/sylabs/sif) from 2.7.0 to 2.8.1. - [Release notes](https://github.com/sylabs/sif/releases) - [Changelog](https://github.com/sylabs/sif/blob/main/.goreleaser.yml) - [Commits](https://github.com/sylabs/sif/compare/v2.7.0...v2.8.1) --- updated-dependencies: - dependency-name: github.com/sylabs/sif/v2 dependency-type: indirect ... Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 4 +- .../sylabs/sif/v2/pkg/sif/buffer.go | 14 +- .../sylabs/sif/v2/pkg/sif/descriptor.go | 31 +++- .../sylabs/sif/v2/pkg/sif/descriptor_input.go | 35 +++- .../github.com/sylabs/sif/v2/pkg/sif/sif.go | 168 +++++++++++------- vendor/modules.txt | 4 +- 7 files changed, 173 insertions(+), 85 deletions(-) diff --git a/go.mod b/go.mod index aad90be9fbe..b9b2e1adabd 100644 --- a/go.mod +++ b/go.mod @@ -259,7 +259,7 @@ require ( github.com/spf13/pflag v1.0.6-0.20210604193023-d5e0c0615ace // indirect github.com/stefanberger/go-pkcs11uri v0.0.0-20201008174630-78d3cae3a980 // indirect github.com/stoewer/go-strcase v1.2.0 // indirect - github.com/sylabs/sif/v2 v2.7.1 // indirect + github.com/sylabs/sif/v2 v2.8.1 // indirect github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 // indirect github.com/tchap/go-patricia v2.3.0+incompatible // indirect github.com/theupdateframework/go-tuf v0.3.1 // indirect diff --git a/go.sum b/go.sum index 25008e1e098..023eaf8fb71 100644 --- a/go.sum +++ b/go.sum @@ -1769,8 +1769,8 @@ github.com/stretchr/testify v1.8.3 h1:RP3t2pwF7cMEbC1dqtB6poj3niw/9gnV4Cjg5oW5gt github.com/stretchr/testify v1.8.3/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw= github.com/sylabs/sif/v2 v2.7.0/go.mod h1:TiyBWsgWeh5yBeQFNuQnvROwswqK7YJT8JA1L53bsXQ= -github.com/sylabs/sif/v2 v2.7.1 h1:XXt9AP39sQfsMCGOGQ/XP9H47yqZOvAonalkaCaNIYM= -github.com/sylabs/sif/v2 v2.7.1/go.mod h1:bBse2nEFd3yHkmq6KmAOFEWQg5LdFYiQUdVcgamxlc8= +github.com/sylabs/sif/v2 v2.8.1 h1:whr4Vz12RXfLnYyVGHoD/rD/hbF2g9OW7BJHa+WIqW8= +github.com/sylabs/sif/v2 v2.8.1/go.mod h1:LQOdYXC9a8i7BleTKRw9lohi0rTbXkJOeS9u0ebvgyM= github.com/sylvia7788/contextcheck v1.0.4/go.mod h1:vuPKJMQ7MQ91ZTqfdyreNKwZjyUg6KO+IebVyQDedZQ= github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 h1:kdXcSzyDtseVEc4yCz2qF8ZrQvIDBJLl4S1c3GCXmoI= github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= diff --git a/vendor/github.com/sylabs/sif/v2/pkg/sif/buffer.go b/vendor/github.com/sylabs/sif/v2/pkg/sif/buffer.go index d706fb1a59c..1d73a4750e6 100644 --- a/vendor/github.com/sylabs/sif/v2/pkg/sif/buffer.go +++ b/vendor/github.com/sylabs/sif/v2/pkg/sif/buffer.go @@ -1,4 +1,4 @@ -// Copyright (c) 2021, Sylabs Inc. All rights reserved. +// Copyright (c) 2021-2022, Sylabs Inc. All rights reserved. // This software is licensed under a 3-clause BSD license. Please consult the // LICENSE file distributed with the sources of this project regarding your // rights to use or distribute this software. @@ -25,7 +25,7 @@ func NewBuffer(buf []byte) *Buffer { var errNegativeOffset = errors.New("negative offset") // ReadAt implements the io.ReaderAt interface. -func (b *Buffer) ReadAt(p []byte, off int64) (n int, err error) { +func (b *Buffer) ReadAt(p []byte, off int64) (int, error) { if off < 0 { return 0, errNegativeOffset } @@ -34,17 +34,17 @@ func (b *Buffer) ReadAt(p []byte, off int64) (n int, err error) { return 0, io.EOF } - n = copy(p, b.buf[off:]) + n := copy(p, b.buf[off:]) if n < len(p) { - err = io.EOF + return n, io.EOF } - return n, err + return n, nil } var errNegativePosition = errors.New("negative position") // Write implements the io.Writer interface. -func (b *Buffer) Write(p []byte) (n int, err error) { +func (b *Buffer) Write(p []byte) (int, error) { if b.pos < 0 { return 0, errNegativePosition } @@ -53,7 +53,7 @@ func (b *Buffer) Write(p []byte) (n int, err error) { b.buf = append(b.buf, make([]byte, need-have)...) } - n = copy(b.buf[b.pos:], p) + n := copy(b.buf[b.pos:], p) b.pos += int64(n) return n, nil } diff --git a/vendor/github.com/sylabs/sif/v2/pkg/sif/descriptor.go b/vendor/github.com/sylabs/sif/v2/pkg/sif/descriptor.go index da7a6a7c7be..03ed2b042bd 100644 --- a/vendor/github.com/sylabs/sif/v2/pkg/sif/descriptor.go +++ b/vendor/github.com/sylabs/sif/v2/pkg/sif/descriptor.go @@ -1,4 +1,4 @@ -// Copyright (c) 2018-2021, Sylabs Inc. All rights reserved. +// Copyright (c) 2018-2022, Sylabs Inc. All rights reserved. // Copyright (c) 2017, SingularityWare, LLC. All rights reserved. // Copyright (c) 2017, Yannick Cote All rights reserved. // This software is licensed under a 3-clause BSD license. Please consult the @@ -56,6 +56,11 @@ type cryptoMessage struct { Messagetype MessageType } +// sbom represents the SIF SBOM data object descriptor. +type sbom struct { + Format SBOMFormat +} + var errNameTooLarge = errors.New("name value too large") // setName encodes name into the name field of d. @@ -96,7 +101,7 @@ func (d *rawDescriptor) setExtra(v interface{}) error { } // getPartitionMetadata gets metadata for a partition data object. -func (d rawDescriptor) getPartitionMetadata() (fs FSType, pt PartType, arch string, err error) { +func (d rawDescriptor) getPartitionMetadata() (FSType, PartType, string, error) { if got, want := d.DataType, DataPartition; got != want { return 0, 0, "", &unexpectedDataTypeError{got, []DataType{want}} } @@ -142,6 +147,8 @@ func (d Descriptor) GroupID() uint32 { return d.raw.GroupID &^ descrGroupMask } // LinkedID returns the object/group ID d is linked to, or zero if d does not contain a linked // ID. If isGroup is true, the returned id is an object group ID. Otherwise, the returned id is a // data object ID. +// +//nolint:nonamedreturns // Named returns effective as documentation. func (d Descriptor) LinkedID() (id uint32, isGroup bool) { return d.raw.LinkedID &^ descrGroupMask, d.raw.LinkedID&descrGroupMask == descrGroupMask } @@ -162,6 +169,8 @@ func (d Descriptor) ModifiedAt() time.Time { return time.Unix(d.raw.ModifiedAt, func (d Descriptor) Name() string { return strings.TrimRight(string(d.raw.Name[:]), "\000") } // PartitionMetadata gets metadata for a partition data object. +// +//nolint:nonamedreturns // Named returns effective as documentation. func (d Descriptor) PartitionMetadata() (fs FSType, pt PartType, arch string, err error) { return d.raw.getPartitionMetadata() } @@ -186,6 +195,8 @@ func getHashType(ht hashType) (crypto.Hash, error) { } // SignatureMetadata gets metadata for a signature data object. +// +//nolint:nonamedreturns // Named returns effective as documentation. func (d Descriptor) SignatureMetadata() (ht crypto.Hash, fp []byte, err error) { if got, want := d.raw.DataType, DataSignature; got != want { return ht, fp, &unexpectedDataTypeError{got, []DataType{want}} @@ -224,6 +235,22 @@ func (d Descriptor) CryptoMessageMetadata() (FormatType, MessageType, error) { return m.Formattype, m.Messagetype, nil } +// SBOMMetadata gets metadata for a SBOM data object. +func (d Descriptor) SBOMMetadata() (SBOMFormat, error) { + if got, want := d.raw.DataType, DataSBOM; got != want { + return 0, &unexpectedDataTypeError{got, []DataType{want}} + } + + var s sbom + + b := bytes.NewReader(d.raw.Extra[:]) + if err := binary.Read(b, binary.LittleEndian, &s); err != nil { + return 0, fmt.Errorf("%w", err) + } + + return s.Format, nil +} + // GetData returns the data object associated with descriptor d. func (d Descriptor) GetData() ([]byte, error) { b := make([]byte, d.raw.Size) diff --git a/vendor/github.com/sylabs/sif/v2/pkg/sif/descriptor_input.go b/vendor/github.com/sylabs/sif/v2/pkg/sif/descriptor_input.go index c55cf51f9de..3e81c394fcf 100644 --- a/vendor/github.com/sylabs/sif/v2/pkg/sif/descriptor_input.go +++ b/vendor/github.com/sylabs/sif/v2/pkg/sif/descriptor_input.go @@ -1,4 +1,4 @@ -// Copyright (c) 2021, Sylabs Inc. All rights reserved. +// Copyright (c) 2021-2022, Sylabs Inc. All rights reserved. // This software is licensed under a 3-clause BSD license. Please consult the // LICENSE file distributed with the sources of this project regarding your // rights to use or distribute this software. @@ -10,7 +10,6 @@ import ( "errors" "fmt" "io" - "os" "time" ) @@ -227,6 +226,24 @@ func OptSignatureMetadata(ht crypto.Hash, fp []byte) DescriptorInputOpt { } } +// OptSBOMMetadata sets metadata for a SBOM data object. The SBOM format is set to f. +// +// If this option is applied to a data object with an incompatible type, an error is returned. +func OptSBOMMetadata(f SBOMFormat) DescriptorInputOpt { + return func(t DataType, opts *descriptorOpts) error { + if got, want := t, DataSBOM; got != want { + return &unexpectedDataTypeError{got, []DataType{want}} + } + + s := sbom{ + Format: f, + } + + opts.extra = s + return nil + } +} + // DescriptorInput describes a new data object. type DescriptorInput struct { dt DataType @@ -242,14 +259,15 @@ const DefaultObjectGroup = 1 // // It is possible (and often necessary) to store additional metadata related to certain types of // data objects. Consider supplying options such as OptCryptoMessageMetadata, OptPartitionMetadata, -// and OptSignatureMetadata for this purpose. +// OptSignatureMetadata, and OptSBOMMetadata for this purpose. // // By default, the data object will be placed in the default data object groupĀ (1). To override // this behavior, use OptNoGroup or OptGroupID. To link this data object, use OptLinkedID or // OptLinkedGroupID. // -// By default, the data object will be aligned according to the system's memory page size. To -// override this behavior, consider using OptObjectAlignment. +// By default, the data object will not be aligned unless it is of type DataPartition, in which +// case it will be aligned on a 4096 byte boundary. To override this behavior, consider using +// OptObjectAlignment. // // By default, no name is set for data object. To set a name, use OptObjectName. // @@ -258,8 +276,11 @@ const DefaultObjectGroup = 1 // image modification time. To override this behavior, consider using OptObjectTime. func NewDescriptorInput(t DataType, r io.Reader, opts ...DescriptorInputOpt) (DescriptorInput, error) { dopts := descriptorOpts{ - groupID: DefaultObjectGroup, - alignment: os.Getpagesize(), + groupID: DefaultObjectGroup, + } + + if t == DataPartition { + dopts.alignment = 4096 } for _, opt := range opts { diff --git a/vendor/github.com/sylabs/sif/v2/pkg/sif/sif.go b/vendor/github.com/sylabs/sif/v2/pkg/sif/sif.go index 704acee4a0e..2d1c2091dc2 100644 --- a/vendor/github.com/sylabs/sif/v2/pkg/sif/sif.go +++ b/vendor/github.com/sylabs/sif/v2/pkg/sif/sif.go @@ -1,4 +1,4 @@ -// Copyright (c) 2018-2021, Sylabs Inc. All rights reserved. +// Copyright (c) 2018-2022, Sylabs Inc. All rights reserved. // Copyright (c) 2017, SingularityWare, LLC. All rights reserved. // Copyright (c) 2017, Yannick Cote All rights reserved. // This software is licensed under a 3-clause BSD license. Please consult the @@ -10,69 +10,68 @@ // // Layout of a SIF file (example): // -// .================================================. -// | GLOBAL HEADER: Sifheader | -// | - launch: "#!/usr/bin/env..." | -// | - magic: "SIF_MAGIC" | -// | - version: "1" | -// | - arch: "4" | -// | - uuid: b2659d4e-bd50-4ea5-bd17-eec5e54f918e | -// | - ctime: 1504657553 | -// | - mtime: 1504657653 | -// | - ndescr: 3 | -// | - descroff: 120 | --. -// | - descrlen: 432 | | -// | - dataoff: 4096 | | -// | - datalen: 619362 | | -// |------------------------------------------------| <-' -// | DESCR[0]: Sifdeffile | -// | - Sifcommon | -// | - datatype: DATA_DEFFILE | -// | - id: 1 | -// | - groupid: 1 | -// | - link: NONE | -// | - fileoff: 4096 | --. -// | - filelen: 222 | | -// |------------------------------------------------| <-----. -// | DESCR[1]: Sifpartition | | | -// | - Sifcommon | | | -// | - datatype: DATA_PARTITION | | | -// | - id: 2 | | | -// | - groupid: 1 | | | -// | - link: NONE | | | -// | - fileoff: 4318 | ----. | -// | - filelen: 618496 | | | | -// | - fstype: Squashfs | | | | -// | - parttype: System | | | | -// | - content: Linux | | | | -// |------------------------------------------------| | | | -// | DESCR[2]: Sifsignature | | | | -// | - Sifcommon | | | | -// | - datatype: DATA_SIGNATURE | | | | -// | - id: 3 | | | | -// | - groupid: NONE | | | | -// | - link: 2 | ------' -// | - fileoff: 622814 | ------. -// | - filelen: 644 | | | | -// | - hashtype: SHA384 | | | | -// | - entity: @ | | | | -// |------------------------------------------------| <-' | | -// | Definition file data | | | -// | . | | | -// | . | | | -// | . | | | -// |------------------------------------------------| <---' | -// | File system partition image | | -// | . | | -// | . | | -// | . | | -// |------------------------------------------------| <-----' -// | Signed verification data | -// | . | -// | . | -// | . | -// `================================================' -// +// .================================================. +// | GLOBAL HEADER: Sifheader | +// | - launch: "#!/usr/bin/env..." | +// | - magic: "SIF_MAGIC" | +// | - version: "1" | +// | - arch: "4" | +// | - uuid: b2659d4e-bd50-4ea5-bd17-eec5e54f918e | +// | - ctime: 1504657553 | +// | - mtime: 1504657653 | +// | - ndescr: 3 | +// | - descroff: 120 | --. +// | - descrlen: 432 | | +// | - dataoff: 4096 | | +// | - datalen: 619362 | | +// |------------------------------------------------| <-' +// | DESCR[0]: Sifdeffile | +// | - Sifcommon | +// | - datatype: DATA_DEFFILE | +// | - id: 1 | +// | - groupid: 1 | +// | - link: NONE | +// | - fileoff: 4096 | --. +// | - filelen: 222 | | +// |------------------------------------------------| <-----. +// | DESCR[1]: Sifpartition | | | +// | - Sifcommon | | | +// | - datatype: DATA_PARTITION | | | +// | - id: 2 | | | +// | - groupid: 1 | | | +// | - link: NONE | | | +// | - fileoff: 4318 | ----. | +// | - filelen: 618496 | | | | +// | - fstype: Squashfs | | | | +// | - parttype: System | | | | +// | - content: Linux | | | | +// |------------------------------------------------| | | | +// | DESCR[2]: Sifsignature | | | | +// | - Sifcommon | | | | +// | - datatype: DATA_SIGNATURE | | | | +// | - id: 3 | | | | +// | - groupid: NONE | | | | +// | - link: 2 | ------' +// | - fileoff: 622814 | ------. +// | - filelen: 644 | | | | +// | - hashtype: SHA384 | | | | +// | - entity: @ | | | | +// |------------------------------------------------| <-' | | +// | Definition file data | | | +// | . | | | +// | . | | | +// | . | | | +// |------------------------------------------------| <---' | +// | File system partition image | | +// | . | | +// | . | | +// | . | | +// |------------------------------------------------| <-----' +// | Signed verification data | +// | . | +// | . | +// | . | +// `================================================' package sif import ( @@ -133,6 +132,7 @@ const ( DataGenericJSON // generic JSON meta-data DataGeneric // generic / raw data DataCryptoMessage // cryptographic message data object + DataSBOM // software bill of materials ) // String returns a human-readable representation of t. @@ -154,6 +154,8 @@ func (t DataType) String() string { return "Generic/Raw" case DataCryptoMessage: return "Cryptographic Message" + case DataSBOM: + return "SBOM" } return "Unknown" } @@ -268,6 +270,44 @@ func (t MessageType) String() string { return "Unknown" } +// SBOMFormat represents the format used to store an SBOM object. +type SBOMFormat int32 + +// List of supported SBOM formats. +const ( + SBOMFormatCycloneDXJSON SBOMFormat = iota + 1 // CycloneDX (JSON) + SBOMFormatCycloneDXXML // CycloneDX (XML) + SBOMFormatGitHubJSON // GitHub dependency snapshot (JSON) + SBOMFormatSPDXJSON // SPDX (JSON) + SBOMFormatSPDXRDF // SPDX (RDF/xml) + SBOMFormatSPDXTagValue // SPDX (tag/value) + SBOMFormatSPDXYAML // SPDX (YAML) + SBOMFormatSyftJSON // Syft (JSON) +) + +// String returns a human-readable representation of f. +func (f SBOMFormat) String() string { + switch f { + case SBOMFormatCycloneDXJSON: + return "cyclonedx-json" + case SBOMFormatCycloneDXXML: + return "cyclonedx-xml" + case SBOMFormatGitHubJSON: + return "github-json" + case SBOMFormatSPDXJSON: + return "spdx-json" + case SBOMFormatSPDXRDF: + return "spdx-rdf" + case SBOMFormatSPDXTagValue: + return "spdx-tag-value" + case SBOMFormatSPDXYAML: + return "spdx-yaml" + case SBOMFormatSyftJSON: + return "syft-json" + } + return "unknown" +} + // header describes a loaded SIF file. type header struct { LaunchScript [hdrLaunchLen]byte diff --git a/vendor/modules.txt b/vendor/modules.txt index 80187705ca6..3ff80357903 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1585,8 +1585,8 @@ github.com/stoewer/go-strcase ## explicit; go 1.20 github.com/stretchr/testify/assert github.com/stretchr/testify/require -# github.com/sylabs/sif/v2 v2.7.1 -## explicit; go 1.17 +# github.com/sylabs/sif/v2 v2.8.1 +## explicit; go 1.18 github.com/sylabs/sif/v2/pkg/sif # github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 ## explicit