Merge remote-tracking branch 'upstream/main' into add-python-extractors

.editorconfig

@@ -0,0 +1,16 @@
+# EditorConfig helps developers define and maintain consistent
+# coding styles between different editors and IDEs
+# editorconfig.org
+
+root = true
+
+[*]
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+indent_style = space
+indent_size = 2
+
+[*.go]
+indent_style = tab

binary/proto/proto.go

@@ -221,14 +221,15 @@ func inventoryToProto(i *extractor.Inventory) (*spb.Inventory, error) {
 		return nil, err
 	}
 	inventoryProto := &spb.Inventory{
-		Name:       i.Name,
-		Version:    i.Version,
-		SourceCode: sourceCodeIdentifierToProto(i.SourceCode),
-		Purl:       purlToProto(p),
-		Cpes:       cpes,
-		Ecosystem:  ecosystem,
-		Locations:  i.Locations,
-		Extractor:  i.Extractor.Name(),
+		Name:        i.Name,
+		Version:     i.Version,
+		SourceCode:  sourceCodeIdentifierToProto(i.SourceCode),
+		Purl:        purlToProto(p),
+		Cpes:        cpes,
+		Ecosystem:   ecosystem,
+		Locations:   i.Locations,
+		Extractor:   i.Extractor.Name(),
+		Annotations: annotationsToProto(i.Annotations),
 	}
 	setProtoMetadata(i.Metadata, inventoryProto)
 	return inventoryProto, nil
@@ -380,6 +381,7 @@ func setProtoMetadata(meta any, i *spb.Inventory) {
 		i.Metadata = &spb.Inventory_PythonRequirementsMetadata{
 			PythonRequirementsMetadata: &spb.PythonRequirementsMetadata{
 				HashCheckingModeValues: m.HashCheckingModeValues,
+				VersionComparator:      m.VersionComparator,
 			},
 		}
 	}
@@ -408,6 +410,32 @@ func purlToProto(p *purl.PackageURL) *spb.Purl {
 	}
 }
 
+func annotationsToProto(as []extractor.Annotation) []spb.Inventory_AnnotationEnum {
+	if as == nil {
+		return nil
+	}
+	ps := []spb.Inventory_AnnotationEnum{}
+	for _, a := range as {
+		ps = append(ps, annotationToProto(a))
+	}
+	return ps
+}
+
+func annotationToProto(s extractor.Annotation) spb.Inventory_AnnotationEnum {
+	var e spb.Inventory_AnnotationEnum
+	switch s {
+	case extractor.Transitional:
+		e = spb.Inventory_TRANSITIONAL
+	case extractor.InsideOSPackage:
+		e = spb.Inventory_INSIDE_OS_PACKAGE
+	case extractor.InsideCacheDir:
+		e = spb.Inventory_INSIDE_CACHE_DIR
+	default:
+		e = spb.Inventory_UNSPECIFIED
+	}
+	return e
+}
+
 func sourceCodeIdentifierToProto(s *extractor.SourceCodeIdentifier) *spb.SourceCodeIdentifier {
 	if s == nil {
 		return nil

binary/proto/proto_test.go

@@ -167,6 +167,21 @@ func TestScanResultToProto(t *testing.T) {
 		Locations: []string{"/file1"},
 		Extractor: dpkg.New(dpkg.DefaultConfig()),
 	}
+	purlDPKGAnnotationInventory := &extractor.Inventory{
+		Name:    "software",
+		Version: "1.0.0",
+		Metadata: &dpkg.Metadata{
+			PackageName:       "software",
+			PackageVersion:    "1.0.0",
+			OSID:              "debian",
+			OSVersionCodename: "jammy",
+			Maintainer:        "maintainer",
+			Architecture:      "amd64",
+		},
+		Locations:   []string{"/file1"},
+		Extractor:   dpkg.New(dpkg.DefaultConfig()),
+		Annotations: []extractor.Annotation{extractor.Transitional},
+	}
 	purlPythonInventory := &extractor.Inventory{
 		Name:      "software",
 		Version:   "1.0.0",
@@ -184,6 +199,7 @@ func TestScanResultToProto(t *testing.T) {
 		Extractor: requirements.Extractor{},
 		Metadata: &requirements.Metadata{
 			HashCheckingModeValues: []string{"sha256:123"},
+			VersionComparator:      ">=",
 		},
 	}
 
@@ -234,6 +250,35 @@ func TestScanResultToProto(t *testing.T) {
 		Locations: []string{"/file1"},
 		Extractor: "os/dpkg",
 	}
+	purlDPKGAnnotationInventoryProto := &spb.Inventory{
+		Name:    "software",
+		Version: "1.0.0",
+		Purl: &spb.Purl{
+			Purl:      "pkg:deb/debian/[email protected]?arch=amd64&distro=jammy",
+			Type:      purl.TypeDebian,
+			Namespace: "debian",
+			Name:      "software",
+			Version:   "1.0.0",
+			Qualifiers: []*spb.Qualifier{
+				&spb.Qualifier{Key: "arch", Value: "amd64"},
+				&spb.Qualifier{Key: "distro", Value: "jammy"},
+			},
+		},
+		Ecosystem: "Debian",
+		Metadata: &spb.Inventory_DpkgMetadata{
+			DpkgMetadata: &spb.DPKGPackageMetadata{
+				PackageName:       "software",
+				PackageVersion:    "1.0.0",
+				OsId:              "debian",
+				OsVersionCodename: "jammy",
+				Maintainer:        "maintainer",
+				Architecture:      "amd64",
+			},
+		},
+		Locations:   []string{"/file1"},
+		Extractor:   "os/dpkg",
+		Annotations: []spb.Inventory_AnnotationEnum{spb.Inventory_TRANSITIONAL},
+	}
 	purlPythonInventoryProto := &spb.Inventory{
 		Name:    "software",
 		Version: "1.0.0",
@@ -268,6 +313,7 @@ func TestScanResultToProto(t *testing.T) {
 		Metadata: &spb.Inventory_PythonRequirementsMetadata{
 			PythonRequirementsMetadata: &spb.PythonRequirementsMetadata{
 				HashCheckingModeValues: []string{"sha256:123"},
+				VersionComparator:      ">=",
 			},
 		},
 	}
@@ -452,7 +498,14 @@ func TestScanResultToProto(t *testing.T) {
 						Status:  success,
 					},
 				},
-				Inventories: []*extractor.Inventory{purlDPKGInventory, purlPythonInventory, pythonRequirementsInventory, purlJavascriptInventory, cpeInventory},
+				Inventories: []*extractor.Inventory{
+					purlDPKGInventory,
+					purlDPKGAnnotationInventory,
+					purlPythonInventory,
+					pythonRequirementsInventory,
+					purlJavascriptInventory,
+					cpeInventory,
+				},
 				Findings: []*detector.Finding{
 					&detector.Finding{
 						Adv: &detector.Advisory{
@@ -495,7 +548,14 @@ func TestScanResultToProto(t *testing.T) {
 						Status:  successProto,
 					},
 				},
-				Inventories: []*spb.Inventory{purlDPKGInventoryProto, purlPythonInventoryProto, pythonRequirementsInventoryProto, purlJavascriptInventoryProto, cpeInventoryProto},
+				Inventories: []*spb.Inventory{
+					purlDPKGInventoryProto,
+					purlDPKGAnnotationInventoryProto,
+					purlPythonInventoryProto,
+					pythonRequirementsInventoryProto,
+					purlJavascriptInventoryProto,
+					cpeInventoryProto,
+				},
 				Findings: []*spb.Finding{
 					&spb.Finding{
 						Adv: &spb.Advisory{

binary/proto/scan_result.proto

@@ -99,6 +99,14 @@ message Inventory {
     ContainerdRuntimeContainerMetadata containerd_runtime_container_metadata =
         25;
   }
+
+  repeated AnnotationEnum annotations = 28;
+  enum AnnotationEnum {
+    UNSPECIFIED = 0;
+    TRANSITIONAL = 1;
+    INSIDE_OS_PACKAGE = 2;
+    INSIDE_CACHE_DIR = 3;
+  }
 }
 
 // Additional identifiers for source code software packages (e.g. NPM).
@@ -306,6 +314,7 @@ message OSVPackageMetadata {
 
 message PythonRequirementsMetadata {
   repeated string hash_checking_mode_values = 1;
+  string version_comparator = 2;
 }
 
 message ContainerdContainerMetadata {