├── .dockerignore ├── .gitignore ├── .github ├── CODE_OF_CONDUCT.md ├── dependabot.yml ├── workflows │ └── ci.yml └── CONTRIBUTING.md ├── .golangci.yml ├── provenance.go ├── README.md ├── go.mod ├── docker-bake.hcl ├── types.go ├── cmd └── imageinspect │ └── main.go ├── testutil ├── image.go └── env.go ├── Dockerfile ├── load_test.go ├── sbom.go ├── load.go ├── LICENSE └── go.sum /.dockerignore: -------------------------------------------------------------------------------- 1 | bin/ 2 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | bin/ 2 | -------------------------------------------------------------------------------- /.github/CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Code of conduct 2 | 3 | - [Moby community guidelines](https://github.com/moby/moby/blob/master/CONTRIBUTING.md#moby-community-guidelines) 4 | - [Docker Code of Conduct](https://github.com/docker/code-of-conduct) 5 | -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | updates: 3 | - package-ecosystem: "github-actions" 4 | open-pull-requests-limit: 10 5 | directory: "/" 6 | schedule: 7 | interval: "daily" 8 | labels: 9 | - "dependencies" 10 | - "bot" 11 | -------------------------------------------------------------------------------- /.golangci.yml: -------------------------------------------------------------------------------- 1 | run: 2 | timeout: 10m 3 | 4 | linters: 5 | enable: 6 | - gofmt 7 | - govet 8 | - deadcode 9 | - depguard 10 | - goimports 11 | - ineffassign 12 | - misspell 13 | - unused 14 | - varcheck 15 | - revive 16 | - staticcheck 17 | - typecheck 18 | #- structcheck # FIXME: structcheck is disabled because of generics: https://github.com/golangci/golangci-lint/issues/2649 19 | disable-all: true 20 | 21 | linters-settings: 22 | depguard: 23 | list-type: blacklist 24 | include-go-root: true 25 | packages: 26 | # The io/ioutil package has been deprecated. 27 | # https://go.dev/doc/go1.16#ioutil 28 | - io/ioutil 29 | 30 | issues: 31 | exclude-rules: 32 | - linters: 33 | - revive 34 | text: "stutters" 35 | -------------------------------------------------------------------------------- /provenance.go: -------------------------------------------------------------------------------- 1 | // Copyright 2022 go-imageinspect authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package imageinspect 16 | 17 | type Provenance struct { // TODO: this is only a stub, to be refactored later 18 | BuildSource string `json:",omitempty"` 19 | BuildDefinition string `json:",omitempty"` 20 | BuildParameters map[string]string `json:",omitempty"` 21 | Materials []Material 22 | } 23 | 24 | type Material struct { 25 | Type string `json:",omitempty"` 26 | Ref string `json:",omitempty"` 27 | Alias string `json:",omitempty"` 28 | Pin string `json:",omitempty"` 29 | } 30 | -------------------------------------------------------------------------------- /.github/workflows/ci.yml: -------------------------------------------------------------------------------- 1 | name: ci 2 | 3 | on: 4 | push: 5 | branches: 6 | - 'main' 7 | tags: 8 | - 'v*' 9 | pull_request: 10 | 11 | env: 12 | DESTDIR: "./bin" 13 | 14 | jobs: 15 | validate: 16 | runs-on: ubuntu-latest 17 | strategy: 18 | fail-fast: false 19 | matrix: 20 | target: 21 | - lint 22 | - vendor-validate 23 | - license-validate 24 | steps: 25 | - 26 | name: Checkout 27 | uses: actions/checkout@v3 28 | - 29 | name: Set up Docker Buildx 30 | uses: docker/setup-buildx-action@v2 31 | - 32 | name: Validate 33 | uses: docker/bake-action@v2 34 | with: 35 | targets: ${{ matrix.target }} 36 | 37 | test: 38 | runs-on: ubuntu-latest 39 | steps: 40 | - 41 | name: Checkout 42 | uses: actions/checkout@v3 43 | - 44 | name: Test 45 | uses: docker/bake-action@v2 46 | with: 47 | targets: test 48 | - 49 | name: Upload coverage 50 | uses: codecov/codecov-action@v3 51 | with: 52 | file: ${{ env.DESTDIR }}/coverage.txt 53 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # go-imageinspect 2 | 3 | [![CI Status](https://img.shields.io/github/actions/workflow/status/docker/go-imageinspect/ci.yml?label=ci&logo=github&style=flat-square)](https://github.com/docker/go-imageinspect/actions?query=workflow%3Aci) 4 | 5 | Go library for accessing container images with their associated objects and 6 | typed metadata. 7 | 8 | ## Experimental :test_tube: 9 | 10 | This repository is considered **EXPERIMENTAL** and under active development 11 | until further notice. It is subject to non-backward compatible changes or 12 | removal in any future version. 13 | 14 | ## Rationale 15 | 16 | Image authors are increasingly distributing associated metadata and artifacts 17 | alongside their images, such as OCI annotations, SLSA Provenance, SBOMs, 18 | signatures, and more. The exact method of storage can differ across the 19 | ecosystem, making this information difficult to consume. 20 | 21 | This library provides a unified interface for accessing this metadata and 22 | ensuring that it can be consumed consistently. 23 | 24 | ## Support 25 | 26 | This library supports pulling metadata from the following formats: 27 | 28 | - [BuildKit attestations](https://github.com/moby/buildkit/blob/master/docs/attestations/attestation-storage.md) 29 | 30 | ## Usage 31 | 32 | go-imageinspect is intended to be used as a library. However, for development 33 | purposes, a simple command line tool is provided for prototyping: 34 | 35 | ```console 36 | $ docker buildx bake bin 37 | $ ./bin/imageinspect moby/buildkit:latest 38 | ``` 39 | 40 | ## Contributing 41 | 42 | Want to contribute? Awesome! You can find information about contributing to 43 | this project in the [CONTRIBUTING.md](/.github/CONTRIBUTING.md) 44 | -------------------------------------------------------------------------------- /go.mod: -------------------------------------------------------------------------------- 1 | module github.com/docker/go-imageinspect 2 | 3 | go 1.18 4 | 5 | require ( 6 | github.com/containerd/containerd v1.6.10 7 | github.com/in-toto/in-toto-golang v0.3.4-0.20220709202702-fa494aaa0add 8 | github.com/moby/buildkit v0.10.1-0.20221121234933-ae9d0f57c7f3 9 | github.com/opencontainers/go-digest v1.0.0 10 | github.com/opencontainers/image-spec v1.0.3-0.20220303224323-02efb9a75ee1 11 | github.com/pkg/errors v0.9.1 12 | github.com/spdx/tools-golang v0.4.0 13 | github.com/stretchr/testify v1.8.0 14 | golang.org/x/sync v0.1.0 15 | ) 16 | 17 | require ( 18 | github.com/containerd/ttrpc v1.1.0 // indirect 19 | github.com/davecgh/go-spew v1.1.1 // indirect 20 | github.com/docker/distribution v2.8.1+incompatible // indirect 21 | github.com/docker/docker v20.10.18+incompatible // indirect 22 | github.com/gogo/protobuf v1.3.2 // indirect 23 | github.com/golang/protobuf v1.5.2 // indirect 24 | github.com/klauspost/compress v1.15.12 // indirect 25 | github.com/moby/locker v1.0.1 // indirect 26 | github.com/pmezard/go-difflib v1.0.0 // indirect 27 | github.com/secure-systems-lab/go-securesystemslib v0.4.0 // indirect 28 | github.com/shibumi/go-pathspec v1.3.0 // indirect 29 | github.com/sirupsen/logrus v1.9.0 // indirect 30 | golang.org/x/crypto v0.2.0 // indirect 31 | golang.org/x/net v0.2.0 // indirect 32 | golang.org/x/sys v0.2.0 // indirect 33 | google.golang.org/genproto v0.0.0-20220502173005-c8bf987b8c21 // indirect 34 | google.golang.org/grpc v1.50.1 // indirect 35 | google.golang.org/protobuf v1.28.1 // indirect 36 | gopkg.in/yaml.v3 v3.0.1 // indirect 37 | ) 38 | 39 | replace github.com/docker/docker => github.com/docker/docker v20.10.3-0.20221124164242-a913b5ad7ef1+incompatible // 22.06 branch (v23.0.0-dev) 40 | -------------------------------------------------------------------------------- /docker-bake.hcl: -------------------------------------------------------------------------------- 1 | // Copyright 2022 go-imageinspect authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | # Defines the output folder 16 | variable "DESTDIR" { 17 | default = "" 18 | } 19 | function "bindir" { 20 | params = [defaultdir] 21 | result = DESTDIR != "" ? DESTDIR : "./bin/${defaultdir}" 22 | } 23 | 24 | group "default" { 25 | targets = ["test"] 26 | } 27 | 28 | group "validate" { 29 | targets = ["lint", "vendor-validate", "license-validate"] 30 | } 31 | 32 | target "lint" { 33 | target = "lint" 34 | output = ["type=cacheonly"] 35 | } 36 | 37 | target "vendor-validate" { 38 | target = "vendor-validate" 39 | output = ["type=cacheonly"] 40 | } 41 | 42 | target "vendor-update" { 43 | target = "vendor-update" 44 | output = ["."] 45 | } 46 | 47 | target "bin" { 48 | target = "bin" 49 | platforms = ["local"] 50 | output = ["type=local,dest=bin"] 51 | } 52 | 53 | target "test" { 54 | target = "test-coverage" 55 | output = [bindir("coverage")] 56 | } 57 | 58 | target "license-validate" { 59 | target = "license-validate" 60 | output = ["type=cacheonly"] 61 | } 62 | 63 | target "license-update" { 64 | target = "license-update" 65 | output = ["."] 66 | } 67 | -------------------------------------------------------------------------------- /types.go: -------------------------------------------------------------------------------- 1 | // Copyright 2022 go-imageinspect authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package imageinspect 16 | 17 | import "github.com/opencontainers/go-digest" 18 | 19 | type ResultType string 20 | 21 | const ( 22 | Manifest ResultType = "manifest" 23 | Index ResultType = "index" 24 | Unknown ResultType = "unknown" 25 | ) 26 | 27 | type Result struct { 28 | Digest digest.Digest 29 | ResultType ResultType 30 | Platforms []string 31 | Images map[string]Image 32 | 33 | // Signature summary 34 | } 35 | 36 | type Identity struct { 37 | PublicKey string 38 | // ... 39 | } 40 | 41 | type Signature struct { 42 | Verified bool 43 | Identity Identity 44 | } 45 | 46 | type Image struct { 47 | Title string 48 | Platform string 49 | Author string 50 | Vendor string 51 | URL string 52 | Source string 53 | Revision string 54 | Documentation string 55 | ShortDescription string 56 | Description string 57 | License string 58 | Size int64 59 | 60 | Signatures []Signature 61 | SBOM *SBOM `json:",omitempty"` 62 | Provenance *Provenance `json:",omitempty"` 63 | 64 | // Build logs 65 | // Hub identity 66 | } 67 | -------------------------------------------------------------------------------- /cmd/imageinspect/main.go: -------------------------------------------------------------------------------- 1 | // Copyright 2022 go-imageinspect authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package main 16 | 17 | import ( 18 | "encoding/json" 19 | "flag" 20 | "log" 21 | "os" 22 | 23 | "github.com/containerd/containerd/remotes/docker" 24 | "github.com/docker/go-imageinspect" 25 | "github.com/moby/buildkit/util/appcontext" 26 | "github.com/pkg/errors" 27 | ) 28 | 29 | func main() { 30 | if err := run(); err != nil { 31 | log.Printf("error: %+v", err) 32 | os.Exit(1) 33 | } 34 | } 35 | 36 | func run() error { 37 | opt := imageinspect.Opt{ 38 | Resolver: docker.NewResolver(docker.ResolverOptions{}), // TODO: auth 39 | } 40 | 41 | flag.StringVar(&opt.CacheDir, "cache-dir", "", "cache directory") 42 | flag.Parse() 43 | 44 | args := flag.Args() 45 | 46 | if len(args) != 1 { 47 | return errors.Errorf("one argument required, got %d", len(args)) 48 | } 49 | 50 | l, err := imageinspect.NewLoader(opt) 51 | if err != nil { 52 | return err 53 | } 54 | 55 | ctx := appcontext.Context() 56 | 57 | r, err := l.Load(ctx, args[0]) 58 | if err != nil { 59 | return err 60 | } 61 | 62 | enc := json.NewEncoder(os.Stdout) 63 | enc.SetIndent("", " ") 64 | if err := enc.Encode(r); err != nil { 65 | return err 66 | } 67 | 68 | return nil 69 | } 70 | -------------------------------------------------------------------------------- /testutil/image.go: -------------------------------------------------------------------------------- 1 | // Copyright 2022 go-imageinspect authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package testutil 16 | 17 | import ( 18 | "encoding/json" 19 | 20 | "github.com/opencontainers/go-digest" 21 | ocispec "github.com/opencontainers/image-spec/specs-go/v1" 22 | ) 23 | 24 | func Config(img ocispec.Image) (*Blob, error) { 25 | if img.Architecture == "" { 26 | img.Architecture = "amd64" 27 | } 28 | if img.OS == "" { 29 | img.OS = "linux" 30 | } 31 | 32 | dt, err := json.Marshal(img) 33 | if err != nil { 34 | return nil, err 35 | } 36 | 37 | return &Blob{ 38 | Data: dt, 39 | Descriptor: ocispec.Descriptor{ 40 | MediaType: ocispec.MediaTypeImageConfig, 41 | Digest: digest.FromBytes(dt), 42 | Size: int64(len(dt)), 43 | Platform: &ocispec.Platform{ 44 | OS: img.OS, 45 | Architecture: img.Architecture, 46 | Variant: img.Variant, 47 | }, 48 | }, 49 | }, nil 50 | } 51 | 52 | func Manifest(mfst ocispec.Manifest) (*Blob, error) { 53 | if mfst.Config.MediaType == "" { 54 | mfst.Config.MediaType = ocispec.MediaTypeImageConfig 55 | } 56 | platform := mfst.Config.Platform 57 | mfst.Config.Platform = nil 58 | 59 | for i, l := range mfst.Layers { 60 | if l.MediaType == "" { 61 | l.MediaType = ocispec.MediaTypeImageLayer 62 | } 63 | if l.Digest == "" { 64 | if l.Size == 0 { 65 | l.Size = int64(i + 1) 66 | } 67 | dt := make([]byte, l.Size) 68 | for j := 0; j < int(l.Size); j++ { 69 | dt[j] = byte(i + int(l.Size%256)) 70 | } 71 | l.Digest = digest.FromBytes(dt) 72 | } 73 | mfst.Layers[i] = l 74 | } 75 | 76 | dt, err := json.Marshal(mfst) 77 | if err != nil { 78 | return nil, err 79 | } 80 | 81 | return &Blob{ 82 | Data: dt, 83 | Descriptor: ocispec.Descriptor{ 84 | MediaType: ocispec.MediaTypeImageManifest, 85 | Digest: digest.FromBytes(dt), 86 | Size: int64(len(dt)), 87 | Platform: platform, 88 | }, 89 | }, nil 90 | } 91 | 92 | func Index(idx ocispec.Index) (*Blob, error) { 93 | for i, m := range idx.Manifests { 94 | if m.MediaType == "" { 95 | m.MediaType = ocispec.MediaTypeImageManifest 96 | } 97 | idx.Manifests[i] = m 98 | } 99 | dt, err := json.Marshal(idx) 100 | if err != nil { 101 | return nil, err 102 | } 103 | 104 | return &Blob{ 105 | Data: dt, 106 | Descriptor: ocispec.Descriptor{ 107 | MediaType: ocispec.MediaTypeImageIndex, 108 | Digest: digest.FromBytes(dt), 109 | Size: int64(len(dt)), 110 | }, 111 | }, nil 112 | } 113 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | # syntax=docker/dockerfile:1 2 | 3 | # Copyright 2022 go-imageinspect authors 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | # Unless required by applicable law or agreed to in writing, software 12 | # distributed under the License is distributed on an "AS IS" BASIS, 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | # See the License for the specific language governing permissions and 15 | # limitations under the License. 16 | 17 | ARG GO_VERSION="1.19" 18 | ARG GOLANGCI_LINT_VERSION="v1.48" 19 | ARG ADDLICENSE_VERSION="v1.0.0" 20 | 21 | ARG LICENSE_ARGS="-c go-imageinspect -l apache" 22 | ARG LICENSE_FILES=".*\(Dockerfile\|\.go\|\.hcl\|\.sh\)" 23 | 24 | FROM golangci/golangci-lint:${GOLANGCI_LINT_VERSION}-alpine AS golangci-lint 25 | FROM ghcr.io/google/addlicense:${ADDLICENSE_VERSION} AS addlicense 26 | FROM --platform=$BUILDPLATFORM tonistiigi/xx:1.1.2 AS xx 27 | 28 | FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine AS base 29 | RUN apk add --no-cache cpio findutils git linux-headers 30 | ENV CGO_ENABLED=0 31 | WORKDIR /src 32 | 33 | FROM base AS build-base 34 | COPY --link --from=xx / / 35 | COPY go.* . 36 | RUN --mount=type=cache,target=/go/pkg/mod \ 37 | --mount=type=cache,target=/root/.cache/go-build \ 38 | go mod download 39 | 40 | FROM base AS vendored 41 | RUN --mount=type=bind,target=.,rw \ 42 | --mount=type=cache,target=/go/pkg/mod \ 43 | go mod tidy && mkdir /out && cp go.mod go.sum /out 44 | 45 | FROM scratch AS vendor-update 46 | COPY --from=vendored /out / 47 | 48 | FROM vendored AS vendor-validate 49 | RUN --mount=type=bind,target=.,rw <&2 'ERROR: Vendor result differs. Please vendor your package with "docker buildx bake vendor"' 56 | echo "$diff" 57 | exit 1 58 | fi 59 | EOT 60 | 61 | FROM build-base AS lint 62 | RUN --mount=type=bind,target=. \ 63 | --mount=type=cache,target=/root/.cache \ 64 | --mount=type=cache,target=/go/pkg/mod \ 65 | --mount=from=golangci-lint,source=/usr/bin/golangci-lint,target=/usr/bin/golangci-lint \ 66 | golangci-lint run ./... 67 | 68 | FROM base AS license-set 69 | ARG LICENSE_ARGS 70 | ARG LICENSE_FILES 71 | RUN --mount=type=bind,target=.,rw \ 72 | --mount=from=addlicense,source=/app/addlicense,target=/usr/bin/addlicense \ 73 | find . -regex "${LICENSE_FILES}" | xargs addlicense ${LICENSE_ARGS} \ 74 | && mkdir /out \ 75 | && find . -regex "${LICENSE_FILES}" | cpio -pdm /out 76 | 77 | FROM scratch AS license-update 78 | COPY --from=license-set /out / 79 | 80 | FROM base AS license-validate 81 | ARG LICENSE_ARGS 82 | ARG LICENSE_FILES 83 | RUN --mount=type=bind,target=. \ 84 | --mount=from=addlicense,source=/app/addlicense,target=/usr/bin/addlicense \ 85 | find . -regex "${LICENSE_FILES}" | xargs addlicense -check ${LICENSE_ARGS} 86 | 87 | FROM build-base AS test 88 | RUN --mount=type=bind,target=. \ 89 | --mount=type=cache,target=/root/.cache \ 90 | --mount=type=cache,target=/go/pkg/mod \ 91 | go test -v -coverprofile=/tmp/coverage.txt -covermode=atomic ./... 92 | 93 | FROM scratch AS test-coverage 94 | COPY --from=test /tmp/coverage.txt /coverage.txt 95 | 96 | FROM build-base AS build-bin 97 | ARG TARGETPLATFORM 98 | RUN --mount=type=bind,target=. \ 99 | --mount=type=cache,target=/root/.cache \ 100 | --mount=type=cache,target=/go/pkg/mod \ 101 | xx-go build -ldflags "-extldflags -static" -o /usr/bin/imageinspect ./cmd/imageinspect && \ 102 | xx-verify --static /usr/bin/imageinspect 103 | 104 | FROM scratch as bin 105 | COPY --from=build-bin /usr/bin/imageinspect ./ 106 | -------------------------------------------------------------------------------- /testutil/env.go: -------------------------------------------------------------------------------- 1 | // Copyright 2022 go-imageinspect authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package testutil 16 | 17 | import ( 18 | "bytes" 19 | "context" 20 | "encoding/json" 21 | "io" 22 | "sync" 23 | "testing" 24 | 25 | distref "github.com/containerd/containerd/reference/docker" 26 | "github.com/containerd/containerd/remotes" 27 | "github.com/moby/buildkit/util/imageutil" 28 | "github.com/opencontainers/go-digest" 29 | ocispec "github.com/opencontainers/image-spec/specs-go/v1" 30 | "github.com/pkg/errors" 31 | ) 32 | 33 | type Blob struct { 34 | Descriptor ocispec.Descriptor 35 | Data []byte 36 | } 37 | 38 | type Env struct { 39 | t *testing.T 40 | 41 | mu sync.Mutex 42 | blobs map[digest.Digest][]byte 43 | tags map[string]digest.Digest 44 | } 45 | 46 | func NewEnv(t *testing.T) *Env { 47 | return &Env{ 48 | t: t, 49 | blobs: map[digest.Digest][]byte{}, 50 | tags: map[string]digest.Digest{}, 51 | } 52 | } 53 | 54 | func (e *Env) AddBlob(b *Blob) (digest.Digest, error) { 55 | // validate JSON to error early 56 | m := map[string]interface{}{} 57 | if err := json.Unmarshal(b.Data, &m); err != nil { 58 | return "", err 59 | } 60 | 61 | dgst := digest.FromBytes(b.Data) 62 | if b.Descriptor.Digest != "" { 63 | if dgst != b.Descriptor.Digest { 64 | return "", errors.Errorf("blob digest %s does not match descriptor digest %s", dgst, b.Descriptor.Digest) 65 | } 66 | } 67 | e.mu.Lock() 68 | e.blobs[dgst] = b.Data 69 | e.mu.Unlock() 70 | e.t.Logf("added blob %s", dgst) 71 | return dgst, nil 72 | } 73 | 74 | func (e *Env) AddTag(ref string, dgst digest.Digest) error { 75 | e.mu.Lock() 76 | _, ok := e.blobs[dgst] 77 | if !ok { 78 | return errors.Errorf("blob %s not found", dgst) 79 | } 80 | e.tags[ref] = dgst 81 | e.mu.Unlock() 82 | e.t.Logf("added tag %s -> %s", ref, dgst) 83 | return nil 84 | } 85 | 86 | func (e *Env) Resolve(ctx context.Context, ref string) (name string, desc ocispec.Descriptor, err error) { 87 | e.mu.Lock() 88 | defer e.mu.Unlock() 89 | 90 | dgst, ok := e.tags[ref] 91 | if !ok { 92 | return "", ocispec.Descriptor{}, errors.Errorf("tag %s not found", ref) 93 | } 94 | 95 | dt, ok := e.blobs[dgst] 96 | if !ok { 97 | return "", ocispec.Descriptor{}, errors.Errorf("blob %s not found", dgst) 98 | } 99 | 100 | mt, err := imageutil.DetectManifestBlobMediaType(dt) 101 | if err != nil { 102 | return "", ocispec.Descriptor{}, err 103 | } 104 | 105 | return ref, ocispec.Descriptor{ 106 | Digest: dgst, 107 | MediaType: mt, 108 | Size: int64(len(dt)), 109 | }, nil 110 | 111 | } 112 | 113 | func (e *Env) Fetcher(ctx context.Context, ref string) (remotes.Fetcher, error) { 114 | e.mu.Lock() 115 | defer e.mu.Unlock() 116 | 117 | named, err := distref.Parse(ref) 118 | if err != nil { 119 | return nil, errors.Wrapf(err, "failed to parse %q", ref) 120 | } 121 | 122 | if canonical, ok := named.(distref.Canonical); ok { 123 | _, ok := e.blobs[canonical.Digest()] 124 | if !ok { 125 | return nil, errors.Errorf("tag %s not found", ref) 126 | } 127 | return e, nil 128 | } 129 | 130 | _, ok := e.tags[ref] 131 | if !ok { 132 | return nil, errors.Errorf("tag %s not found", ref) 133 | } 134 | 135 | return e, nil 136 | } 137 | 138 | func (e *Env) Fetch(ctx context.Context, desc ocispec.Descriptor) (io.ReadCloser, error) { 139 | e.mu.Lock() 140 | defer e.mu.Unlock() 141 | 142 | dt, ok := e.blobs[desc.Digest] 143 | if !ok { 144 | return nil, errors.Errorf("blob %s not found", desc.Digest) 145 | } 146 | return io.NopCloser(bytes.NewReader(dt)), nil 147 | } 148 | 149 | func (e *Env) Pusher(ctx context.Context, ref string) (remotes.Pusher, error) { 150 | return nil, errors.Errorf("pusher not implemented") 151 | } 152 | -------------------------------------------------------------------------------- /load_test.go: -------------------------------------------------------------------------------- 1 | // Copyright 2022 go-imageinspect authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package imageinspect 16 | 17 | import ( 18 | "context" 19 | "testing" 20 | 21 | "github.com/docker/go-imageinspect/testutil" 22 | ocispec "github.com/opencontainers/image-spec/specs-go/v1" 23 | "github.com/stretchr/testify/require" 24 | ) 25 | 26 | func TestSingleArchManifest(t *testing.T) { 27 | t.Parallel() 28 | 29 | ctx := context.Background() 30 | env := testutil.NewEnv(t) 31 | 32 | cfg, err := testutil.Config(ocispec.Image{ 33 | Architecture: "arm64", 34 | OS: "linux", 35 | }) 36 | require.NoError(t, err) 37 | _, err = env.AddBlob(cfg) 38 | require.NoError(t, err) 39 | 40 | mfst, err := testutil.Manifest(ocispec.Manifest{ 41 | Config: cfg.Descriptor, 42 | Layers: []ocispec.Descriptor{ 43 | {Size: 100}, 44 | {Size: 200}, 45 | }, 46 | }) 47 | require.NoError(t, err) 48 | _, err = env.AddBlob(mfst) 49 | require.NoError(t, err) 50 | 51 | require.NoError(t, env.AddTag("docker.io/library/test:latest", mfst.Descriptor.Digest)) 52 | 53 | l, err := NewLoader(Opt{ 54 | CacheDir: t.TempDir(), 55 | Resolver: env, 56 | }) 57 | require.NoError(t, err) 58 | 59 | r, err := l.Load(ctx, "test") 60 | require.NoError(t, err) 61 | 62 | require.Equal(t, mfst.Descriptor.Digest, r.Digest) 63 | require.Equal(t, Manifest, r.ResultType) 64 | 65 | require.Equal(t, []string{"linux/arm64"}, r.Platforms) 66 | require.Equal(t, 1, len(r.Images)) 67 | 68 | img, ok := r.Images["linux/arm64"] 69 | require.True(t, ok) 70 | 71 | require.Equal(t, int64(300), img.Size) 72 | require.Equal(t, "linux/arm64", img.Platform) 73 | } 74 | 75 | func TestMultiArchManifest(t *testing.T) { 76 | t.Parallel() 77 | 78 | ctx := context.Background() 79 | env := testutil.NewEnv(t) 80 | 81 | cfg, err := testutil.Config(ocispec.Image{ 82 | Architecture: "arm64", 83 | OS: "linux", 84 | }) 85 | require.NoError(t, err) 86 | _, err = env.AddBlob(cfg) 87 | require.NoError(t, err) 88 | 89 | mfst1, err := testutil.Manifest(ocispec.Manifest{ 90 | Config: cfg.Descriptor, 91 | Layers: []ocispec.Descriptor{ 92 | {Size: 25}, 93 | }, 94 | }) 95 | require.NoError(t, err) 96 | _, err = env.AddBlob(mfst1) 97 | require.NoError(t, err) 98 | 99 | cfg, err = testutil.Config(ocispec.Image{ 100 | Architecture: "amd64", 101 | OS: "linux", 102 | }) 103 | require.NoError(t, err) 104 | _, err = env.AddBlob(cfg) 105 | require.NoError(t, err) 106 | 107 | mfst2, err := testutil.Manifest(ocispec.Manifest{ 108 | Config: cfg.Descriptor, 109 | Layers: []ocispec.Descriptor{ 110 | {Size: 50}, 111 | }, 112 | }) 113 | require.NoError(t, err) 114 | _, err = env.AddBlob(mfst2) 115 | require.NoError(t, err) 116 | 117 | idx, err := testutil.Index(ocispec.Index{ 118 | Manifests: []ocispec.Descriptor{ 119 | mfst1.Descriptor, 120 | mfst2.Descriptor, 121 | }, 122 | }) 123 | require.NoError(t, err) 124 | _, err = env.AddBlob(idx) 125 | require.NoError(t, err) 126 | 127 | require.NoError(t, env.AddTag("docker.io/library/test:latest", idx.Descriptor.Digest)) 128 | 129 | l, err := NewLoader(Opt{ 130 | CacheDir: t.TempDir(), 131 | Resolver: env, 132 | }) 133 | require.NoError(t, err) 134 | 135 | r, err := l.Load(ctx, "test") 136 | require.NoError(t, err) 137 | 138 | require.Equal(t, idx.Descriptor.Digest, r.Digest) 139 | require.Equal(t, Index, r.ResultType) 140 | 141 | require.Equal(t, []string{"linux/amd64", "linux/arm64"}, r.Platforms) 142 | require.Equal(t, 2, len(r.Images)) 143 | 144 | img, ok := r.Images["linux/arm64"] 145 | require.True(t, ok) 146 | 147 | require.Equal(t, int64(25), img.Size) 148 | require.Equal(t, "linux/arm64", img.Platform) 149 | 150 | img, ok = r.Images["linux/amd64"] 151 | require.True(t, ok) 152 | 153 | require.Equal(t, int64(50), img.Size) 154 | require.Equal(t, "linux/amd64", img.Platform) 155 | } 156 | 157 | func TestTitle(t *testing.T) { 158 | t.Parallel() 159 | 160 | ctx := context.Background() 161 | env := testutil.NewEnv(t) 162 | 163 | cfg, err := testutil.Config(ocispec.Image{}) 164 | require.NoError(t, err) 165 | _, err = env.AddBlob(cfg) 166 | require.NoError(t, err) 167 | 168 | mfst, err := testutil.Manifest(ocispec.Manifest{ 169 | Config: cfg.Descriptor, 170 | Annotations: map[string]string{ 171 | "org.opencontainers.image.title": "this is title", 172 | }, 173 | }) 174 | require.NoError(t, err) 175 | _, err = env.AddBlob(mfst) 176 | require.NoError(t, err) 177 | 178 | require.NoError(t, env.AddTag("docker.io/library/test:latest", mfst.Descriptor.Digest)) 179 | 180 | l, err := NewLoader(Opt{ 181 | CacheDir: t.TempDir(), 182 | Resolver: env, 183 | }) 184 | require.NoError(t, err) 185 | 186 | r, err := l.Load(ctx, "test") 187 | require.NoError(t, err) 188 | 189 | require.Equal(t, mfst.Descriptor.Digest, r.Digest) 190 | require.Equal(t, Manifest, r.ResultType) 191 | 192 | require.Equal(t, 1, len(r.Platforms)) 193 | require.Equal(t, 1, len(r.Images)) 194 | 195 | img, ok := r.Images[r.Platforms[0]] 196 | require.True(t, ok) 197 | 198 | require.Equal(t, "this is title", img.Title) 199 | } 200 | -------------------------------------------------------------------------------- /sbom.go: -------------------------------------------------------------------------------- 1 | // Copyright 2022 go-imageinspect authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package imageinspect 16 | 17 | import ( 18 | "bytes" 19 | "context" 20 | "encoding/json" 21 | "sort" 22 | "strings" 23 | 24 | "github.com/containerd/containerd/content" 25 | "github.com/containerd/containerd/remotes" 26 | intoto "github.com/in-toto/in-toto-golang/in_toto" 27 | "github.com/opencontainers/go-digest" 28 | "github.com/pkg/errors" 29 | spdx_json "github.com/spdx/tools-golang/json" 30 | spdx_common "github.com/spdx/tools-golang/spdx/common" 31 | spdx "github.com/spdx/tools-golang/spdx/v2_3" 32 | ) 33 | 34 | type SBOM struct { 35 | AlpinePackages []Package `json:",omitempty"` 36 | UnknownPackages []Package `json:",omitempty"` 37 | } 38 | 39 | type pkgType int 40 | 41 | const ( 42 | pkgTypeUnknown pkgType = iota 43 | pkgTypeAlpine 44 | ) 45 | 46 | type Package struct { 47 | Name string 48 | Version string 49 | Description string 50 | Creator PackageCreator 51 | DownloadURL string 52 | HomepageURL string 53 | License []string 54 | Files []string 55 | 56 | CPEs []string 57 | } 58 | 59 | type PackageCreator struct { 60 | Name string // TODO: split name and e-mail 61 | Org string `json:",omitempty"` 62 | } 63 | 64 | type spdxStatement struct { 65 | intoto.StatementHeader 66 | Predicate json.RawMessage `json:"predicate"` 67 | } 68 | 69 | func (l *Loader) scanSBOM(ctx context.Context, fetcher remotes.Fetcher, r *result, subject digest.Digest, refs []digest.Digest, img *Image) error { 70 | ctx = remotes.WithMediaTypeKeyPrefix(ctx, "application/vnd.in-toto+json", "intoto") 71 | 72 | for _, dgst := range refs { 73 | mfst, ok := r.manifests[dgst] 74 | if !ok { 75 | return errors.Errorf("referenced image %s not found", dgst) 76 | } 77 | 78 | for _, layer := range mfst.manifest.Layers { 79 | if layer.MediaType == "application/vnd.in-toto+json" && layer.Annotations["in-toto.io/predicate-type"] == "https://spdx.dev/Document" { 80 | var stmt spdxStatement 81 | _, err := remotes.FetchHandler(l.cache, fetcher)(ctx, layer) 82 | if err != nil { 83 | return err 84 | } 85 | dt, err := content.ReadBlob(ctx, l.cache, layer) 86 | if err != nil { 87 | return err 88 | } 89 | if err := json.Unmarshal(dt, &stmt); err != nil { 90 | return err 91 | } 92 | 93 | if stmt.PredicateType != "https://spdx.dev/Document" { 94 | return errors.Errorf("unexpected predicate type %s", stmt.PredicateType) 95 | } 96 | 97 | subjectValidated := false 98 | for _, s := range stmt.Subject { 99 | for alg, hash := range s.Digest { 100 | if alg+":"+hash == subject.String() { 101 | subjectValidated = true 102 | break 103 | } 104 | } 105 | } 106 | 107 | if !subjectValidated { 108 | return errors.Errorf("unable to validate subject %s, expected %s", stmt.Subject, subject.String()) 109 | } 110 | 111 | doc, err := decodeSPDX(stmt.Predicate) 112 | if err != nil { 113 | return err 114 | } 115 | addSPDX(img, doc) 116 | } 117 | } 118 | } 119 | 120 | normalizeSBOM(img.SBOM) 121 | 122 | return nil 123 | } 124 | 125 | func addSPDX(img *Image, doc spdxDocument) { 126 | sbom := img.SBOM 127 | if sbom == nil { 128 | sbom = &SBOM{} 129 | } 130 | 131 | for _, p := range doc.Packages { 132 | var files []string 133 | for _, relationship := range doc.RelationshipsByPackageID[p.PackageSPDXIdentifier] { 134 | if relationship.Relationship == "CONTAINS" { 135 | f, ok := doc.FilesByID[relationship.RefB.ElementRefID] 136 | if !ok { 137 | continue 138 | } 139 | files = append(files, f.FileName) 140 | } 141 | } 142 | 143 | pkg := Package{ 144 | Name: p.PackageName, 145 | Version: p.PackageVersion, 146 | Description: p.PackageDescription, 147 | HomepageURL: p.PackageHomePage, 148 | DownloadURL: p.PackageDownloadLocation, 149 | License: strings.Split(p.PackageLicenseConcluded, " AND "), 150 | Files: files, 151 | } 152 | if p.PackageOriginator != nil && p.PackageOriginator.Originator != "" { 153 | creator := PackageCreator{} 154 | switch p.PackageOriginator.OriginatorType { 155 | case "Person": 156 | creator.Name = p.PackageOriginator.Originator 157 | case "Organization": 158 | creator.Org = p.PackageOriginator.Originator 159 | } 160 | pkg.Creator = creator 161 | } 162 | 163 | typ := pkgTypeUnknown 164 | for _, ref := range p.PackageExternalReferences { 165 | if ref.Category == "PACKAGE_MANAGER" && ref.RefType == "purl" { 166 | if strings.HasPrefix(ref.Locator, "pkg:alpine/") { 167 | typ = pkgTypeAlpine 168 | } 169 | } 170 | if ref.Category == "SECURITY" && ref.RefType == "cpe23Type" { 171 | pkg.CPEs = append(pkg.CPEs, ref.Locator) 172 | } 173 | } 174 | 175 | switch typ { 176 | case pkgTypeAlpine: 177 | sbom.AlpinePackages = append(sbom.AlpinePackages, pkg) 178 | default: 179 | sbom.UnknownPackages = append(sbom.UnknownPackages, pkg) 180 | } 181 | } 182 | img.SBOM = sbom 183 | } 184 | 185 | func normalizeSBOM(sbom *SBOM) { 186 | if sbom == nil { 187 | return 188 | } 189 | 190 | for _, pkgs := range [][]Package{sbom.AlpinePackages, sbom.UnknownPackages} { 191 | // TODO: remote duplicates 192 | sort.Slice(pkgs, func(i, j int) bool { 193 | if pkgs[i].Name == pkgs[j].Name { 194 | return pkgs[i].Version < pkgs[j].Version 195 | } 196 | return pkgs[i].Name < pkgs[j].Name 197 | }) 198 | } 199 | } 200 | 201 | func decodeSPDX(dt []byte) (s spdxDocument, err error) { 202 | doc, err := spdx_json.Load2_3(bytes.NewReader(dt)) 203 | if err != nil { 204 | return spdxDocument{}, errors.Wrap(err, "unable to decode spdx") 205 | } 206 | if doc == nil { 207 | return spdxDocument{}, errors.New("decoding produced empty spdx document") 208 | } 209 | return newSPDXWrapper(doc), nil 210 | } 211 | 212 | type spdxDocument struct { 213 | *spdx.Document 214 | 215 | PackagesByID map[spdx_common.ElementID]*spdx.Package 216 | FilesByID map[spdx_common.ElementID]*spdx.File 217 | 218 | RelationshipsByPackageID map[spdx_common.ElementID][]*spdx.Relationship 219 | } 220 | 221 | func newSPDXWrapper(doc *spdx.Document) spdxDocument { 222 | packagesByID := map[spdx_common.ElementID]*spdx.Package{} 223 | for _, p := range doc.Packages { 224 | packagesByID[p.PackageSPDXIdentifier] = p 225 | } 226 | filesByID := map[spdx_common.ElementID]*spdx.File{} 227 | for _, f := range doc.Files { 228 | filesByID[f.FileSPDXIdentifier] = f 229 | } 230 | relationshipsByPackageID := map[spdx_common.ElementID][]*spdx.Relationship{} 231 | for _, r := range doc.Relationships { 232 | relationshipsByPackageID[r.RefA.ElementRefID] = append(relationshipsByPackageID[r.RefA.ElementRefID], r) 233 | } 234 | 235 | return spdxDocument{ 236 | Document: doc, 237 | PackagesByID: packagesByID, 238 | FilesByID: filesByID, 239 | RelationshipsByPackageID: relationshipsByPackageID, 240 | } 241 | } 242 | -------------------------------------------------------------------------------- /load.go: -------------------------------------------------------------------------------- 1 | // Copyright 2022 go-imageinspect authors 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | package imageinspect 16 | 17 | import ( 18 | "context" 19 | "encoding/json" 20 | "path/filepath" 21 | "sort" 22 | "sync" 23 | 24 | "github.com/containerd/containerd/content" 25 | "github.com/containerd/containerd/content/local" 26 | "github.com/containerd/containerd/images" 27 | "github.com/containerd/containerd/platforms" 28 | distref "github.com/containerd/containerd/reference/docker" 29 | "github.com/containerd/containerd/remotes" 30 | "github.com/moby/buildkit/util/contentutil" 31 | "github.com/pkg/errors" 32 | "golang.org/x/sync/errgroup" 33 | 34 | "github.com/opencontainers/go-digest" 35 | ocispec "github.com/opencontainers/image-spec/specs-go/v1" 36 | ) 37 | 38 | const ( 39 | AnnotationReference = "vnd.docker.reference.digest" 40 | AnnotationImageTitle = "org.opencontainers.image.title" 41 | ) 42 | 43 | type ContentCache interface { 44 | content.Provider 45 | content.Ingester 46 | } 47 | 48 | type Opt struct { 49 | Resolver remotes.Resolver 50 | CacheDir string 51 | } 52 | 53 | type Loader struct { 54 | opt *Opt 55 | 56 | cache ContentCache 57 | } 58 | 59 | type manifest struct { 60 | desc ocispec.Descriptor 61 | manifest ocispec.Manifest 62 | } 63 | 64 | type index struct { 65 | desc ocispec.Descriptor 66 | index ocispec.Index 67 | } 68 | 69 | type result struct { 70 | mu sync.Mutex 71 | indexes map[digest.Digest]index 72 | manifests map[digest.Digest]manifest 73 | images map[string]digest.Digest 74 | refs map[digest.Digest][]digest.Digest 75 | } 76 | 77 | func newResult() *result { 78 | return &result{ 79 | indexes: make(map[digest.Digest]index), 80 | manifests: make(map[digest.Digest]manifest), 81 | images: make(map[string]digest.Digest), 82 | refs: make(map[digest.Digest][]digest.Digest), 83 | } 84 | } 85 | 86 | func NewLoader(opt Opt) (*Loader, error) { 87 | l := &Loader{ 88 | opt: &opt, 89 | } 90 | 91 | if opt.CacheDir != "" { 92 | store, err := local.NewStore(filepath.Join(opt.CacheDir, "content")) 93 | if err != nil { 94 | return nil, err 95 | } 96 | l.cache = store 97 | } else { 98 | l.cache = contentutil.NewBuffer() 99 | } 100 | 101 | return l, nil 102 | } 103 | 104 | func (l *Loader) Load(ctx context.Context, ref string) (*Result, error) { 105 | named, err := parseReference(ref) 106 | if err != nil { 107 | return nil, err 108 | } 109 | 110 | _, desc, err := l.opt.Resolver.Resolve(ctx, named.String()) 111 | if err != nil { 112 | return nil, err 113 | } 114 | 115 | canonical, err := distref.WithDigest(named, desc.Digest) 116 | if err != nil { 117 | return nil, err 118 | } 119 | 120 | fetcher, err := l.opt.Resolver.Fetcher(ctx, canonical.String()) 121 | if err != nil { 122 | return nil, err 123 | } 124 | 125 | r := newResult() 126 | 127 | if err := l.fetch(ctx, fetcher, desc, r); err != nil { 128 | return nil, err 129 | } 130 | 131 | rr := &Result{ 132 | Images: make(map[string]Image), 133 | } 134 | 135 | rr.Digest = desc.Digest 136 | 137 | if _, ok := r.manifests[desc.Digest]; ok { 138 | rr.ResultType = Manifest 139 | } else if _, ok := r.indexes[desc.Digest]; ok { 140 | rr.ResultType = Index 141 | } else { 142 | rr.ResultType = Unknown 143 | } 144 | 145 | for platform, dgst := range r.images { 146 | rr.Platforms = append(rr.Platforms, platform) 147 | 148 | mfst, ok := r.manifests[dgst] 149 | if !ok { 150 | return nil, errors.Errorf("image %s not found", platform) 151 | } 152 | 153 | var img Image 154 | 155 | var size int64 156 | 157 | for _, layer := range mfst.manifest.Layers { 158 | size += layer.Size 159 | } 160 | 161 | img.Size = size 162 | img.Platform = platform 163 | 164 | annotations := make(map[string]string, len(mfst.manifest.Annotations)+len(mfst.desc.Annotations)) 165 | for k, v := range mfst.desc.Annotations { 166 | annotations[k] = v 167 | } 168 | for k, v := range mfst.manifest.Annotations { 169 | annotations[k] = v 170 | } 171 | 172 | if title, ok := annotations[AnnotationImageTitle]; ok { 173 | img.Title = title 174 | } 175 | 176 | refs, ok := r.refs[dgst] 177 | if ok { 178 | if err := l.scanSBOM(ctx, fetcher, r, dgst, refs, &img); err != nil { 179 | return nil, err // TODO: these errors should likely be stored in the result 180 | } 181 | } 182 | 183 | if err := l.scanBuildInfo(ctx, fetcher, mfst.manifest.Config, &img); err != nil { 184 | return nil, err 185 | } 186 | 187 | rr.Images[platform] = img 188 | 189 | } 190 | 191 | sort.Strings(rr.Platforms) 192 | 193 | return rr, nil 194 | } 195 | 196 | func (l *Loader) fetch(ctx context.Context, fetcher remotes.Fetcher, desc ocispec.Descriptor, r *result) error { 197 | _, err := remotes.FetchHandler(l.cache, fetcher)(ctx, desc) 198 | if err != nil { 199 | return err 200 | } 201 | 202 | switch desc.MediaType { 203 | case images.MediaTypeDockerSchema2Manifest, ocispec.MediaTypeImageManifest: 204 | var mfst ocispec.Manifest 205 | dt, err := content.ReadBlob(ctx, l.cache, desc) 206 | if err != nil { 207 | return err 208 | } 209 | if err := json.Unmarshal(dt, &mfst); err != nil { 210 | return err 211 | } 212 | r.mu.Lock() 213 | r.manifests[desc.Digest] = manifest{ 214 | desc: desc, 215 | manifest: mfst, 216 | } 217 | r.mu.Unlock() 218 | 219 | ref, ok := desc.Annotations[AnnotationReference] 220 | if ok { 221 | refdgst, err := digest.Parse(ref) 222 | if err != nil { 223 | return err 224 | } 225 | r.mu.Lock() 226 | r.refs[refdgst] = append(r.refs[refdgst], desc.Digest) 227 | r.mu.Unlock() 228 | } else { 229 | p := desc.Platform 230 | if p == nil { 231 | p, err = l.readPlatformFromConfig(ctx, fetcher, mfst.Config) 232 | if err != nil { 233 | return err 234 | } 235 | } 236 | r.mu.Lock() 237 | r.images[platforms.Format(platforms.Normalize(*p))] = desc.Digest 238 | r.mu.Unlock() 239 | } 240 | 241 | case images.MediaTypeDockerSchema2ManifestList, ocispec.MediaTypeImageIndex: 242 | var idx ocispec.Index 243 | dt, err := content.ReadBlob(ctx, l.cache, desc) 244 | if err != nil { 245 | return err 246 | } 247 | 248 | if err := json.Unmarshal(dt, &idx); err != nil { 249 | return err 250 | } 251 | 252 | r.mu.Lock() 253 | r.indexes[desc.Digest] = index{ 254 | desc: desc, 255 | index: idx, 256 | } 257 | r.mu.Unlock() 258 | 259 | eg, ctx := errgroup.WithContext(ctx) 260 | for _, d := range idx.Manifests { 261 | d := d 262 | eg.Go(func() error { 263 | return l.fetch(ctx, fetcher, d, r) 264 | }) 265 | } 266 | 267 | if err := eg.Wait(); err != nil { 268 | return err 269 | } 270 | default: 271 | } 272 | return nil 273 | } 274 | 275 | func (l *Loader) readPlatformFromConfig(ctx context.Context, fetcher remotes.Fetcher, desc ocispec.Descriptor) (*ocispec.Platform, error) { 276 | _, err := remotes.FetchHandler(l.cache, fetcher)(ctx, desc) 277 | if err != nil { 278 | return nil, err 279 | } 280 | 281 | dt, err := content.ReadBlob(ctx, l.cache, desc) 282 | if err != nil { 283 | return nil, err 284 | } 285 | 286 | var config ocispec.Image 287 | if err := json.Unmarshal(dt, &config); err != nil { 288 | return nil, err 289 | } 290 | 291 | return &ocispec.Platform{ 292 | OS: config.OS, 293 | Architecture: config.Architecture, 294 | Variant: config.Variant, 295 | }, nil 296 | } 297 | 298 | func parseReference(ref string) (distref.Named, error) { 299 | named, err := distref.ParseNormalizedNamed(ref) 300 | if err != nil { 301 | return nil, errors.Wrapf(err, "failed to parse %q", ref) 302 | } 303 | return distref.TagNameOnly(named), nil 304 | } 305 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | 2 | Apache License 3 | Version 2.0, January 2004 4 | http://www.apache.org/licenses/ 5 | 6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 7 | 8 | 1. Definitions. 9 | 10 | "License" shall mean the terms and conditions for use, reproduction, 11 | and distribution as defined by Sections 1 through 9 of this document. 12 | 13 | "Licensor" shall mean the copyright owner or entity authorized by 14 | the copyright owner that is granting the License. 15 | 16 | "Legal Entity" shall mean the union of the acting entity and all 17 | other entities that control, are controlled by, or are under common 18 | control with that entity. For the purposes of this definition, 19 | "control" means (i) the power, direct or indirect, to cause the 20 | direction or management of such entity, whether by contract or 21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 22 | outstanding shares, or (iii) beneficial ownership of such entity. 23 | 24 | "You" (or "Your") shall mean an individual or Legal Entity 25 | exercising permissions granted by this License. 26 | 27 | "Source" form shall mean the preferred form for making modifications, 28 | including but not limited to software source code, documentation 29 | source, and configuration files. 30 | 31 | "Object" form shall mean any form resulting from mechanical 32 | transformation or translation of a Source form, including but 33 | not limited to compiled object code, generated documentation, 34 | and conversions to other media types. 35 | 36 | "Work" shall mean the work of authorship, whether in Source or 37 | Object form, made available under the License, as indicated by a 38 | copyright notice that is included in or attached to the work 39 | (an example is provided in the Appendix below). 40 | 41 | "Derivative Works" shall mean any work, whether in Source or Object 42 | form, that is based on (or derived from) the Work and for which the 43 | editorial revisions, annotations, elaborations, or other modifications 44 | represent, as a whole, an original work of authorship. For the purposes 45 | of this License, Derivative Works shall not include works that remain 46 | separable from, or merely link (or bind by name) to the interfaces of, 47 | the Work and Derivative Works thereof. 48 | 49 | "Contribution" shall mean any work of authorship, including 50 | the original version of the Work and any modifications or additions 51 | to that Work or Derivative Works thereof, that is intentionally 52 | submitted to Licensor for inclusion in the Work by the copyright owner 53 | or by an individual or Legal Entity authorized to submit on behalf of 54 | the copyright owner. For the purposes of this definition, "submitted" 55 | means any form of electronic, verbal, or written communication sent 56 | to the Licensor or its representatives, including but not limited to 57 | communication on electronic mailing lists, source code control systems, 58 | and issue tracking systems that are managed by, or on behalf of, the 59 | Licensor for the purpose of discussing and improving the Work, but 60 | excluding communication that is conspicuously marked or otherwise 61 | designated in writing by the copyright owner as "Not a Contribution." 62 | 63 | "Contributor" shall mean Licensor and any individual or Legal Entity 64 | on behalf of whom a Contribution has been received by Licensor and 65 | subsequently incorporated within the Work. 66 | 67 | 2. Grant of Copyright License. Subject to the terms and conditions of 68 | this License, each Contributor hereby grants to You a perpetual, 69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 70 | copyright license to reproduce, prepare Derivative Works of, 71 | publicly display, publicly perform, sublicense, and distribute the 72 | Work and such Derivative Works in Source or Object form. 73 | 74 | 3. Grant of Patent License. Subject to the terms and conditions of 75 | this License, each Contributor hereby grants to You a perpetual, 76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 77 | (except as stated in this section) patent license to make, have made, 78 | use, offer to sell, sell, import, and otherwise transfer the Work, 79 | where such license applies only to those patent claims licensable 80 | by such Contributor that are necessarily infringed by their 81 | Contribution(s) alone or by combination of their Contribution(s) 82 | with the Work to which such Contribution(s) was submitted. If You 83 | institute patent litigation against any entity (including a 84 | cross-claim or counterclaim in a lawsuit) alleging that the Work 85 | or a Contribution incorporated within the Work constitutes direct 86 | or contributory patent infringement, then any patent licenses 87 | granted to You under this License for that Work shall terminate 88 | as of the date such litigation is filed. 89 | 90 | 4. Redistribution. You may reproduce and distribute copies of the 91 | Work or Derivative Works thereof in any medium, with or without 92 | modifications, and in Source or Object form, provided that You 93 | meet the following conditions: 94 | 95 | (a) You must give any other recipients of the Work or 96 | Derivative Works a copy of this License; and 97 | 98 | (b) You must cause any modified files to carry prominent notices 99 | stating that You changed the files; and 100 | 101 | (c) You must retain, in the Source form of any Derivative Works 102 | that You distribute, all copyright, patent, trademark, and 103 | attribution notices from the Source form of the Work, 104 | excluding those notices that do not pertain to any part of 105 | the Derivative Works; and 106 | 107 | (d) If the Work includes a "NOTICE" text file as part of its 108 | distribution, then any Derivative Works that You distribute must 109 | include a readable copy of the attribution notices contained 110 | within such NOTICE file, excluding those notices that do not 111 | pertain to any part of the Derivative Works, in at least one 112 | of the following places: within a NOTICE text file distributed 113 | as part of the Derivative Works; within the Source form or 114 | documentation, if provided along with the Derivative Works; or, 115 | within a display generated by the Derivative Works, if and 116 | wherever such third-party notices normally appear. The contents 117 | of the NOTICE file are for informational purposes only and 118 | do not modify the License. You may add Your own attribution 119 | notices within Derivative Works that You distribute, alongside 120 | or as an addendum to the NOTICE text from the Work, provided 121 | that such additional attribution notices cannot be construed 122 | as modifying the License. 123 | 124 | You may add Your own copyright statement to Your modifications and 125 | may provide additional or different license terms and conditions 126 | for use, reproduction, or distribution of Your modifications, or 127 | for any such Derivative Works as a whole, provided Your use, 128 | reproduction, and distribution of the Work otherwise complies with 129 | the conditions stated in this License. 130 | 131 | 5. Submission of Contributions. Unless You explicitly state otherwise, 132 | any Contribution intentionally submitted for inclusion in the Work 133 | by You to the Licensor shall be under the terms and conditions of 134 | this License, without any additional terms or conditions. 135 | Notwithstanding the above, nothing herein shall supersede or modify 136 | the terms of any separate license agreement you may have executed 137 | with Licensor regarding such Contributions. 138 | 139 | 6. Trademarks. This License does not grant permission to use the trade 140 | names, trademarks, service marks, or product names of the Licensor, 141 | except as required for reasonable and customary use in describing the 142 | origin of the Work and reproducing the content of the NOTICE file. 143 | 144 | 7. Disclaimer of Warranty. Unless required by applicable law or 145 | agreed to in writing, Licensor provides the Work (and each 146 | Contributor provides its Contributions) on an "AS IS" BASIS, 147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 148 | implied, including, without limitation, any warranties or conditions 149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 150 | PARTICULAR PURPOSE. You are solely responsible for determining the 151 | appropriateness of using or redistributing the Work and assume any 152 | risks associated with Your exercise of permissions under this License. 153 | 154 | 8. Limitation of Liability. In no event and under no legal theory, 155 | whether in tort (including negligence), contract, or otherwise, 156 | unless required by applicable law (such as deliberate and grossly 157 | negligent acts) or agreed to in writing, shall any Contributor be 158 | liable to You for damages, including any direct, indirect, special, 159 | incidental, or consequential damages of any character arising as a 160 | result of this License or out of the use or inability to use the 161 | Work (including but not limited to damages for loss of goodwill, 162 | work stoppage, computer failure or malfunction, or any and all 163 | other commercial damages or losses), even if such Contributor 164 | has been advised of the possibility of such damages. 165 | 166 | 9. Accepting Warranty or Additional Liability. While redistributing 167 | the Work or Derivative Works thereof, You may choose to offer, 168 | and charge a fee for, acceptance of support, warranty, indemnity, 169 | or other liability obligations and/or rights consistent with this 170 | License. However, in accepting such obligations, You may act only 171 | on Your own behalf and on Your sole responsibility, not on behalf 172 | of any other Contributor, and only if You agree to indemnify, 173 | defend, and hold each Contributor harmless for any liability 174 | incurred by, or claims asserted against, such Contributor by reason 175 | of your accepting any such warranty or additional liability. 176 | 177 | END OF TERMS AND CONDITIONS 178 | 179 | APPENDIX: How to apply the Apache License to your work. 180 | 181 | To apply the Apache License to your work, attach the following 182 | boilerplate notice, with the fields enclosed by brackets "[]" 183 | replaced with your own identifying information. (Don't include 184 | the brackets!) The text should be enclosed in the appropriate 185 | comment syntax for the file format. We also recommend that a 186 | file or class name and description of purpose be included on the 187 | same "printed page" as the copyright notice for easier 188 | identification within third-party archives. 189 | 190 | Copyright [yyyy] [name of copyright owner] 191 | 192 | Licensed under the Apache License, Version 2.0 (the "License"); 193 | you may not use this file except in compliance with the License. 194 | You may obtain a copy of the License at 195 | 196 | http://www.apache.org/licenses/LICENSE-2.0 197 | 198 | Unless required by applicable law or agreed to in writing, software 199 | distributed under the License is distributed on an "AS IS" BASIS, 200 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 201 | See the License for the specific language governing permissions and 202 | limitations under the License. 203 | -------------------------------------------------------------------------------- /.github/CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contribute to the go-imageinspect project 2 | 3 | This page contains information about reporting issues as well as some tips and 4 | guidelines useful to experienced open source contributors. 5 | 6 | ## Reporting security issues 7 | 8 | The project maintainers take security seriously. If you discover a security 9 | issue, please bring it to their attention right away! 10 | 11 | **Please _DO NOT_ file a public issue**, instead send your report privately to 12 | [security@docker.com](mailto:security@docker.com). 13 | 14 | Security reports are greatly appreciated and we will publicly thank you for it. 15 | We also like to send gifts—if you're into schwag, make sure to let 16 | us know. We currently do not offer a paid security bounty program, but are not 17 | ruling it out in the future. 18 | 19 | 20 | ## Reporting other issues 21 | 22 | A great way to contribute to the project is to send a detailed report when you 23 | encounter an issue. We always appreciate a well-written, thorough bug report, 24 | and will thank you for it! 25 | 26 | Check that [our issue database](https://github.com/docker/go-imageinspect/issues) 27 | doesn't already include that problem or suggestion before submitting an issue. 28 | If you find a match, you can use the "subscribe" button to get notified on 29 | updates. Do *not* leave random "+1" or "I have this too" comments, as they 30 | only clutter the discussion, and don't help resolving it. However, if you 31 | have ways to reproduce the issue or have additional information that may help 32 | resolving the issue, please leave a comment. 33 | 34 | Include the steps required to reproduce the problem if possible and applicable. 35 | This information will help us review and fix your issue faster. When sending 36 | lengthy log-files, consider posting them as an attachment, instead of posting 37 | inline. 38 | 39 | **Do not forget to remove sensitive data from your logfiles before submitting** 40 | (you can replace those parts with "REDACTED"). 41 | 42 | ### Pull requests are always welcome 43 | 44 | Not sure if that typo is worth a pull request? Found a bug and know how to fix 45 | it? Do it! We will appreciate it. 46 | 47 | If your pull request is not accepted on the first try, don't be discouraged! If 48 | there's a problem with the implementation, hopefully you received feedback on 49 | what to improve. 50 | 51 | We're trying very hard to keep go-imageinspect lean and focused. We don't want 52 | it to do everything for everybody. This means that we might decide against 53 | incorporating a new feature. However, there might be a way to implement that 54 | feature *on top of* go-imageinspect. 55 | 56 | ### Design and cleanup proposals 57 | 58 | You can propose new designs for existing features. You can also design 59 | entirely new features. We really appreciate contributors who want to refactor or 60 | otherwise cleanup our project. 61 | 62 | ### Sign your work 63 | 64 | The sign-off is a simple line at the end of the explanation for the patch. Your 65 | signature certifies that you wrote the patch or otherwise have the right to pass 66 | it on as an open-source patch. The rules are pretty simple: if you can certify 67 | the below (from [developercertificate.org](http://developercertificate.org/)): 68 | 69 | ``` 70 | Developer Certificate of Origin 71 | Version 1.1 72 | 73 | Copyright (C) 2004, 2006 The Linux Foundation and its contributors. 74 | 1 Letterman Drive 75 | Suite D4700 76 | San Francisco, CA, 94129 77 | 78 | Everyone is permitted to copy and distribute verbatim copies of this 79 | license document, but changing it is not allowed. 80 | 81 | Developer's Certificate of Origin 1.1 82 | 83 | By making a contribution to this project, I certify that: 84 | 85 | (a) The contribution was created in whole or in part by me and I 86 | have the right to submit it under the open source license 87 | indicated in the file; or 88 | 89 | (b) The contribution is based upon previous work that, to the best 90 | of my knowledge, is covered under an appropriate open source 91 | license and I have the right under that license to submit that 92 | work with modifications, whether created in whole or in part 93 | by me, under the same open source license (unless I am 94 | permitted to submit under a different license), as indicated 95 | in the file; or 96 | 97 | (c) The contribution was provided directly to me by some other 98 | person who certified (a), (b) or (c) and I have not modified 99 | it. 100 | 101 | (d) I understand and agree that this project and the contribution 102 | are public and that a record of the contribution (including all 103 | personal information I submit with it, including my sign-off) is 104 | maintained indefinitely and may be redistributed consistent with 105 | this project or the open source license(s) involved. 106 | ``` 107 | 108 | Then you just add a line to every git commit message: 109 | 110 | Signed-off-by: Joe Smith 111 | 112 | **Use your real name** (sorry, no pseudonyms or anonymous contributions.) 113 | 114 | If you set your `user.name` and `user.email` git configs, you can sign your 115 | commit automatically with `git commit -s`. 116 | 117 | ### Run the unit- and integration-tests 118 | 119 | To validate PRs before submitting them you should run: 120 | 121 | ```console 122 | $ docker buildx bake validate test 123 | ``` 124 | 125 | To generate new vendored with go modules run: 126 | 127 | ```console 128 | $ docker buildx bake vendor-update 129 | ``` 130 | 131 | 132 | ### Conventions 133 | 134 | - Fork the repository and make changes on your fork in a feature branch 135 | - Submit tests for your changes. See [run the unit- and integration-tests](#run-the-unit--and-integration-tests) 136 | for details. 137 | - [Sign your work](#sign-your-work) 138 | 139 | Write clean code. Universally formatted code promotes ease of writing, reading, 140 | and maintenance. Always run `gofmt -s -w file.go` on each changed file before 141 | committing your changes. Most editors have plug-ins that do this automatically. 142 | 143 | Pull request descriptions should be as clear as possible and include a 144 | reference to all the issues that they address. Be sure that the [commit 145 | messages](#commit-messages) also contain the relevant information. 146 | 147 | ### Successful Changes 148 | 149 | Before contributing large or high impact changes, make the effort to coordinate 150 | with the maintainers of the project before submitting a pull request. This 151 | prevents you from doing extra work that may or may not be merged. 152 | 153 | Large PRs that are just submitted without any prior communication are unlikely 154 | to be successful. 155 | 156 | While pull requests are the methodology for submitting changes to code, changes 157 | are much more likely to be accepted if they are accompanied by additional 158 | engineering work. While we don't define this explicitly, most of these goals 159 | are accomplished through communication of the design goals and subsequent 160 | solutions. Often times, it helps to first state the problem before presenting 161 | solutions. 162 | 163 | Typically, the best methods of accomplishing this are to submit an issue, 164 | stating the problem. This issue can include a problem statement and a 165 | checklist with requirements. If solutions are proposed, alternatives should be 166 | listed and eliminated. Even if the criteria for elimination of a solution is 167 | frivolous, say so. 168 | 169 | Larger changes typically work best with design documents. These are focused on 170 | providing context to the design at the time the feature was conceived and can 171 | inform future documentation contributions. 172 | 173 | ### Commit Messages 174 | 175 | Commit messages must start with a capitalized and short summary (max. 50 chars) 176 | written in the imperative, followed by an optional, more detailed explanatory 177 | text which is separated from the summary by an empty line. 178 | 179 | Commit messages should follow best practices, including explaining the context 180 | of the problem and how it was solved, including in caveats or follow up changes 181 | required. They should tell the story of the change and provide readers 182 | understanding of what led to it. 183 | 184 | If you're lost about what this even means, please see [How to Write a Git 185 | Commit Message](http://chris.beams.io/posts/git-commit/) for a start. 186 | 187 | In practice, the best approach to maintaining a nice commit message is to 188 | leverage a `git add -p` and `git commit --amend` to formulate a solid 189 | changeset. This allows one to piece together a change, as information becomes 190 | available. 191 | 192 | If you squash a series of commits, don't just submit that. Re-write the commit 193 | message, as if the series of commits was a single stroke of brilliance. 194 | 195 | That said, there is no requirement to have a single commit for a PR, as long as 196 | each commit tells the story. For example, if there is a feature that requires a 197 | package, it might make sense to have the package in a separate commit then have 198 | a subsequent commit that uses it. 199 | 200 | Remember, you're telling part of the story with the commit message. Don't make 201 | your chapter weird. 202 | 203 | ### Review 204 | 205 | Code review comments may be added to your pull request. Discuss, then make the 206 | suggested modifications and push additional commits to your feature branch. Post 207 | a comment after pushing. New commits show up in the pull request automatically, 208 | but the reviewers are notified only when you comment. 209 | 210 | Pull requests must be cleanly rebased on top of master without multiple branches 211 | mixed into the PR. 212 | 213 | > **Git tip**: If your PR no longer merges cleanly, use `rebase master` in your 214 | > feature branch to update your pull request rather than `merge master`. 215 | 216 | Before you make a pull request, squash your commits into logical units of work 217 | using `git rebase -i` and `git push -f`. A logical unit of work is a consistent 218 | set of patches that should be reviewed together: for example, upgrading the 219 | version of a vendored dependency and taking advantage of its now available new 220 | feature constitute two separate units of work. Implementing a new function and 221 | calling it in another file constitute a single logical unit of work. The very 222 | high majority of submissions should have a single commit, so if in doubt: squash 223 | down to one. 224 | 225 | - After every commit, [make sure the test suite passes](#run-the-unit--and-integration-tests). 226 | Include documentation changes in the same pull request so that a revert would 227 | remove all traces of the feature or fix. 228 | - Include an issue reference like `closes #XXXX` or `fixes #XXXX` in the PR 229 | description that close an issue. Including references automatically closes 230 | the issue on a merge. 231 | - Do not add yourself to the `AUTHORS` file, as it is regenerated regularly 232 | from the Git history. 233 | - See the [Coding Style](#coding-style) for further guidelines. 234 | 235 | 236 | ### Merge approval 237 | 238 | Project maintainers use LGTM (Looks Good To Me) in comments on the code review to 239 | indicate acceptance, or use the Github review approval feature. 240 | 241 | 242 | ## Coding Style 243 | 244 | Unless explicitly stated, we follow all coding guidelines from the Go 245 | community. While some of these standards may seem arbitrary, they somehow seem 246 | to result in a solid, consistent codebase. 247 | 248 | It is possible that the code base does not currently comply with these 249 | guidelines. We are not looking for a massive PR that fixes this, since that 250 | goes against the spirit of the guidelines. All new contributions should make a 251 | best effort to clean up and make the code base better than they left it. 252 | Obviously, apply your best judgement. Remember, the goal here is to make the 253 | code base easier for humans to navigate and understand. Always keep that in 254 | mind when nudging others to comply. 255 | 256 | The rules: 257 | 258 | 1. All code should be formatted with `gofmt -s`. 259 | 2. All code should pass the default levels of 260 | [`golint`](https://github.com/golang/lint). 261 | 3. All code should follow the guidelines covered in [Effective 262 | Go](http://golang.org/doc/effective_go.html) and [Go Code Review 263 | Comments](https://github.com/golang/go/wiki/CodeReviewComments). 264 | 4. Comment the code. Tell us the why, the history and the context. 265 | 5. Document _all_ declarations and methods, even private ones. Declare 266 | expectations, caveats and anything else that may be important. If a type 267 | gets exported, having the comments already there will ensure it's ready. 268 | 6. Variable name length should be proportional to its context and no longer. 269 | `noCommaALongVariableNameLikeThisIsNotMoreClearWhenASimpleCommentWouldDo`. 270 | In practice, short methods will have short variable names and globals will 271 | have longer names. 272 | 7. No underscores in package names. If you need a compound name, step back, 273 | and re-examine why you need a compound name. If you still think you need a 274 | compound name, lose the underscore. 275 | 8. No utils or helpers packages. If a function is not general enough to 276 | warrant its own package, it has not been written generally enough to be a 277 | part of a util package. Just leave it unexported and well-documented. 278 | 9. All tests should run with `go test` and outside tooling should not be 279 | required. No, we don't need another unit testing framework. Assertion 280 | packages are acceptable if they provide _real_ incremental value. 281 | 10. Even though we call these "rules" above, they are actually just 282 | guidelines. Since you've read all the rules, you now know that. 283 | 284 | If you are having trouble getting into the mood of idiomatic Go, we recommend 285 | reading through [Effective Go](https://golang.org/doc/effective_go.html). The 286 | [Go Blog](https://blog.golang.org) is also a great resource. 287 | -------------------------------------------------------------------------------- /go.sum: -------------------------------------------------------------------------------- 1 | cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= 2 | cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= 3 | github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= 4 | github.com/Microsoft/go-winio v0.5.2 h1:a9IhgEQBCUEk6QCdml9CiJGhAws+YwffDHEMp1VMrpA= 5 | github.com/Microsoft/hcsshim v0.9.5 h1:AbV+VPfTrIVffukazHcpxmz/sRiE6YaMDzHWR9BXZHo= 6 | github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= 7 | github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= 8 | github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= 9 | github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= 10 | github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= 11 | github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= 12 | github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI= 13 | github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= 14 | github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= 15 | github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= 16 | github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb h1:EDmT6Q9Zs+SbUoc7Ik9EfrFqcylYqgPZ9ANSbTAntnE= 17 | github.com/containerd/cgroups v1.0.3 h1:ADZftAkglvCiD44c77s5YmMqaP2pzVCFZvBmAlBdAP4= 18 | github.com/containerd/containerd v1.6.10 h1:8aiav7I2ZyQLbTlNMcBXyAU1FtFvp6VuyuW13qSd6Hk= 19 | github.com/containerd/containerd v1.6.10/go.mod h1:CVqfxdJ95PDgORwA219AwwLrREZgrTFybXu2HfMKRG0= 20 | github.com/containerd/ttrpc v1.1.0 h1:GbtyLRxb0gOLR0TYQWt3O6B0NvT8tMdorEHqIQo/lWI= 21 | github.com/containerd/ttrpc v1.1.0/go.mod h1:XX4ZTnoOId4HklF4edwc4DcqskFZuvXB1Evzy5KFQpQ= 22 | github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= 23 | github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= 24 | github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= 25 | github.com/docker/distribution v2.8.1+incompatible h1:Q50tZOPR6T/hjNsyc9g8/syEs6bk8XXApsHjKukMl68= 26 | github.com/docker/distribution v2.8.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= 27 | github.com/docker/docker v20.10.3-0.20221124164242-a913b5ad7ef1+incompatible h1:DIeHTXiwBnyvC8H38QHJCtU/pyEEAtUHwZgAaDPX2wI= 28 | github.com/docker/docker v20.10.3-0.20221124164242-a913b5ad7ef1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= 29 | github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= 30 | github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= 31 | github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= 32 | github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= 33 | github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1/go.mod h1:KJwIaB5Mv44NWtYuAOFCVOjcI94vtpEz2JU/D2v6IjE= 34 | github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= 35 | github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= 36 | github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= 37 | github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= 38 | github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= 39 | github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= 40 | github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= 41 | github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= 42 | github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= 43 | github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= 44 | github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= 45 | github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= 46 | github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= 47 | github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= 48 | github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= 49 | github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8= 50 | github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= 51 | github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= 52 | github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= 53 | github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw= 54 | github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= 55 | github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= 56 | github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= 57 | github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= 58 | github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= 59 | github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= 60 | github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= 61 | github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= 62 | github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= 63 | github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE= 64 | github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= 65 | github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= 66 | github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= 67 | github.com/in-toto/in-toto-golang v0.3.4-0.20220709202702-fa494aaa0add h1:DAh7mHiRT7wc6kKepYdCpH16ElPciMPQWJaJ7H3l/ng= 68 | github.com/in-toto/in-toto-golang v0.3.4-0.20220709202702-fa494aaa0add/go.mod h1:DQI8vlV6h6qSY/tCOoYKtxjWrkyiNpJ3WTV/WoBllmQ= 69 | github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= 70 | github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= 71 | github.com/klauspost/compress v1.15.12 h1:YClS/PImqYbn+UILDnqxQCZ3RehC9N318SU3kElDUEM= 72 | github.com/klauspost/compress v1.15.12/go.mod h1:QPwzmACJjUTFsnSHH934V6woptycfrDDJnH7hvFVbGM= 73 | github.com/moby/buildkit v0.10.1-0.20221121234933-ae9d0f57c7f3 h1:JDRtokLOyVwiw+8XZagOlS8IbFqqtbmRMnyE/cKdHAg= 74 | github.com/moby/buildkit v0.10.1-0.20221121234933-ae9d0f57c7f3/go.mod h1:oDEISQNKfANlbCdk3SM/8BjI+gxryMcxgdb5nGYE9sE= 75 | github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg= 76 | github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc= 77 | github.com/moby/sys/mountinfo v0.6.2 h1:BzJjoreD5BMFNmD9Rus6gdd1pLuecOFPt8wC+Vygl78= 78 | github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= 79 | github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= 80 | github.com/opencontainers/image-spec v1.0.3-0.20220303224323-02efb9a75ee1 h1:9iFHD5Kt9hkOfeawBNiEeEaV7bmC4/Z5wJp8E9BptMs= 81 | github.com/opencontainers/image-spec v1.0.3-0.20220303224323-02efb9a75ee1/go.mod h1:K/JAU0m27RFhDRX4PcFdIKntROP6y5Ed6O91aZYDQfs= 82 | github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= 83 | github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= 84 | github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= 85 | github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= 86 | github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= 87 | github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA= 88 | github.com/prometheus/procfs v0.8.0 h1:ODq8ZFEaYeCaZOJlZZdJA2AbQR98dSHSM1KW/You5mo= 89 | github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= 90 | github.com/russross/blackfriday v1.6.0/go.mod h1:ti0ldHuxg49ri4ksnFxlkCfN+hvslNlmVHqNRXXJNAY= 91 | github.com/secure-systems-lab/go-securesystemslib v0.4.0 h1:b23VGrQhTA8cN2CbBw7/FulN9fTtqYUdS5+Oxzt+DUE= 92 | github.com/secure-systems-lab/go-securesystemslib v0.4.0/go.mod h1:FGBZgq2tXWICsxWQW1msNf49F0Pf2Op5Htayx335Qbs= 93 | github.com/shibumi/go-pathspec v1.3.0 h1:QUyMZhFo0Md5B8zV8x2tesohbb5kfbpTi9rBnKh5dkI= 94 | github.com/shibumi/go-pathspec v1.3.0/go.mod h1:Xutfslp817l2I1cZvgcfeMQJG5QnU2lh5tVaaMCl3jE= 95 | github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= 96 | github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0= 97 | github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= 98 | github.com/spdx/gordf v0.0.0-20201111095634-7098f93598fb/go.mod h1:uKWaldnbMnjsSAXRurWqqrdyZen1R7kxl8TkmWk2OyM= 99 | github.com/spdx/tools-golang v0.4.0 h1:jdhnW8zYelURCbYTphiviFKZkWu51in0E4A1KT2csP0= 100 | github.com/spdx/tools-golang v0.4.0/go.mod h1:VHzvNsKAfAGqs4ZvwRL+7a0dNsL20s7lGui4K9C0xQM= 101 | github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= 102 | github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= 103 | github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= 104 | github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= 105 | github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= 106 | github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= 107 | github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= 108 | github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk= 109 | github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= 110 | github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= 111 | github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ= 112 | github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y= 113 | github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= 114 | github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= 115 | go.opencensus.io v0.23.0 h1:gqCw0LfLxScz8irSi8exQc7fyQ0fKQU/qnC/X8+V/1M= 116 | go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= 117 | golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= 118 | golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= 119 | golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= 120 | golang.org/x/crypto v0.2.0 h1:BRXPfhNivWL5Yq0BGQ39a2sW6t44aODpfxkWjYdzewE= 121 | golang.org/x/crypto v0.2.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= 122 | golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= 123 | golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= 124 | golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= 125 | golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= 126 | golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= 127 | golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= 128 | golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= 129 | golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= 130 | golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= 131 | golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= 132 | golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= 133 | golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= 134 | golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 135 | golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 136 | golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= 137 | golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= 138 | golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= 139 | golang.org/x/net v0.2.0 h1:sZfSu1wtKLGlWI4ZZayP0ck9Y73K1ynO6gqzTdBVdPU= 140 | golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= 141 | golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= 142 | golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= 143 | golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 144 | golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 145 | golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 146 | golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 147 | golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 148 | golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 149 | golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 150 | golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o= 151 | golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 152 | golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= 153 | golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= 154 | golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 155 | golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 156 | golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 157 | golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 158 | golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 159 | golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 160 | golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 161 | golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 162 | golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 163 | golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 164 | golang.org/x/sys v0.2.0 h1:ljd4t30dBnAvMZaQCevtY0xLLD0A+bRZXbgLMLU1F/A= 165 | golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 166 | golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= 167 | golang.org/x/term v0.2.0 h1:z85xZCsEl7bi/KwbNADeBYoOP0++7W1ipu+aGnpwzRM= 168 | golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= 169 | golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= 170 | golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= 171 | golang.org/x/text v0.4.0 h1:BrVqGRd7+k1DiOgtnFvAkoQEWQvBc25ouMJM6429SFg= 172 | golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= 173 | golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= 174 | golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= 175 | golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= 176 | golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= 177 | golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= 178 | golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= 179 | golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= 180 | golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 181 | golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 182 | golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 183 | golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 184 | google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= 185 | google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= 186 | google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= 187 | google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= 188 | google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= 189 | google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= 190 | google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= 191 | google.golang.org/genproto v0.0.0-20220502173005-c8bf987b8c21 h1:hrbNEivu7Zn1pxvHk6MBrq9iE22woVILTHqexqBxe6I= 192 | google.golang.org/genproto v0.0.0-20220502173005-c8bf987b8c21/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4= 193 | google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= 194 | google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= 195 | google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= 196 | google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= 197 | google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= 198 | google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0= 199 | google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= 200 | google.golang.org/grpc v1.46.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk= 201 | google.golang.org/grpc v1.50.1 h1:DS/BukOZWp8s6p4Dt/tOaJaTQyPyOoCcrjroHuCeLzY= 202 | google.golang.org/grpc v1.50.1/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI= 203 | google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= 204 | google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= 205 | google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= 206 | google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= 207 | google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= 208 | google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= 209 | google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= 210 | google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= 211 | google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= 212 | google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= 213 | google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= 214 | google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= 215 | google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= 216 | google.golang.org/protobuf v1.28.1 h1:d0NfwRgPtno5B1Wa6L2DAG+KivqkdutMf1UhdNx175w= 217 | google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= 218 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM= 219 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= 220 | gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= 221 | gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= 222 | gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= 223 | gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= 224 | gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= 225 | gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= 226 | gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= 227 | gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0= 228 | honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= 229 | honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= 230 | sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8= 231 | --------------------------------------------------------------------------------