Remove user configuration (#4)

Author: wagoodman

README.md

@@ -13,94 +13,3 @@ curl -sSfL https://raw.githubusercontent.com/anchore/docker-sbom-cli-plugin/main
 # use the sbom plugin
 docker sbom <my-image>
 ```
-
-## Configuration
-
-Configuration search paths:
-
-- `.syft.yaml`
-- `.syft/config.yaml`
-- `~/.syft.yaml`
-- `<XDG_CONFIG_HOME>/syft/config.yaml`
-
-Configuration options (example values are the default):
-
-```yaml
-# the output format(s) of the SBOM report (options: table, text, json, spdx, ...)
-# same as -o, --output, and SYFT_OUTPUT env var
-# to specify multiple output files in differing formats, use a list:
-# output:
-#   - "json=<syft-json-output-file>"
-#   - "spdx-json=<spdx-json-output-file>"
-output: "table"
-
-# suppress all output (except for the SBOM report)
-# same as -q ; SYFT_QUIET env var
-quiet: false
-
-# same as --file; write output report to a file (default is to write to stdout)
-file: ""
-
-# a list of globs to exclude from scanning. same as --exclude ; for example:
-# exclude:
-#   - "/etc/**"
-#   - "./out/**/*.json"
-exclude: []
-
-# override the OS or architecture options (e.g. "windows/arm/v7", "linux/arm64", "arm64") similar to "docker --platform"
-# same as --platform; SYFT_PLATFORM env var
-platform: ""
-
-# catalog packages
-package:
-
-  # search within archives that do contain a file index to search against (zip)
-  # note: for now this only applies to the java package cataloger
-  # SYFT_PACKAGE_SEARCH_INDEXED_ARCHIVES env var
-  search-indexed-archives: true
-
-  # search within archives that do not contain a file index to search against (tar, tar.gz, tar.bz2, etc)
-  # note: enabling this may result in a performance impact since all discovered compressed tars will be decompressed
-  # note: for now this only applies to the java package cataloger
-  # SYFT_PACKAGE_SEARCH_UNINDEXED_ARCHIVES env var
-  search-unindexed-archives: false
-
-  cataloger:
-    # enable/disable cataloging of packages
-    # SYFT_PACKAGE_CATALOGER_ENABLED env var
-    enabled: true
-
-    # the search space to look for packages (options: all-layers, squashed)
-    # same as -s ; SYFT_PACKAGE_CATALOGER_SCOPE env var
-    scope: "squashed"
-
-# catalog file metadata
-file-metadata:
-  cataloger:
-    # enable/disable cataloging of file metadata
-    # SYFT_FILE_METADATA_CATALOGER_ENABLED env var
-    enabled: true
-
-    # the search space to look for file metadata (options: all-layers, squashed)
-    # SYFT_FILE_METADATA_CATALOGER_SCOPE env var
-    scope: "squashed"
-
-  # the file digest algorithms to use when cataloging files (options: "sha256", "md5", "sha1")
-  # SYFT_FILE_METADATA_DIGESTS env var
-  digests: ["sha256"]
-
-log:
-  # use structured logging
-  # same as SYFT_LOG_STRUCTURED env var
-  structured: false
-
-  # the log level; note: detailed logging suppress the ETUI
-  # same as SYFT_LOG_LEVEL env var
-  level: "error"
-
-  # location to write the log file (default is not to have a log file)
-  # same as SYFT_LOG_FILE env var
-  file: ""
-
-```
-

cmd/root.go

@@ -19,7 +19,6 @@ import (
 	"github.com/anchore/stereoscope"
 	"github.com/anchore/stereoscope/pkg/image"
 	"github.com/anchore/syft/syft"
-	"github.com/anchore/syft/syft/artifact"
 	"github.com/anchore/syft/syft/event"
 	"github.com/anchore/syft/syft/pkg/cataloger"
 	"github.com/anchore/syft/syft/sbom"
@@ -33,6 +32,7 @@ Examples:
   docker sbom alpine:latest -o syft-json                           show all possible cataloging details
   docker sbom alpine:latest -o syft-json --file sbom.json          write report output to a file
   docker sbom alpine:latest -o table -o sbom.json=cyclonedx-json   report the SBOM in multiple formats
+  docker sbom alpine:latest --exclude /lib  --exclude '**/*.db'    ignore one or more paths in the image
   docker sbom alpine:latest -v                                     show logging output
   docker sbom alpine:latest -vv                                    show verbose debug logs`
 
@@ -78,7 +78,7 @@ func setPackageFlags(flags *pflag.FlagSet) {
 	// Formatting & Input options //////////////////////////////////////////////
 	flags.StringP(
 		"scope", "s", cataloger.DefaultSearchConfig().Scope.String(),
-		fmt.Sprintf("selection of layers to catalog, options=%v", source.AllScopes))
+		fmt.Sprintf("[experimental] selection of layers to catalog, options=%v", source.AllScopes))
 
 	flags.StringArrayP(
 		"output", "o", formatAliases(syft.TableFormatID),
@@ -184,35 +184,26 @@ func isVerbose() (result bool) {
 	return appConfig.CliOptions.Verbosity > 0 || isPipedInput
 }
 
-func generateSBOM(src *source.Source, errs chan error) (*sbom.SBOM, error) {
-	tasks, err := catalogingTasks()
-	if err != nil {
-		return nil, err
-	}
-
+func generateSBOM(src *source.Source) (*sbom.SBOM, error) {
 	s := sbom.SBOM{
 		Source: src.Metadata,
 		Descriptor: sbom.Descriptor{
 			Name:          internal.SyftName,
-			Version:       version.FromBuild().Version,
+			Version:       version.FromBuild().SyftVersion,
 			Configuration: appConfig,
 		},
 	}
 
-	buildRelationships(&s, src, tasks, errs)
-
-	return &s, nil
-}
-
-func buildRelationships(s *sbom.SBOM, src *source.Source, tasks []task, errs chan error) {
-	var relationships []<-chan artifact.Relationship
-	for _, task := range tasks {
-		c := make(chan artifact.Relationship)
-		relationships = append(relationships, c)
-		go runTask(task, &s.Artifacts, src, c, errs)
+	packageCatalog, relationships, theDistro, err := syft.CatalogPackages(src, appConfig.Package.ToConfig())
+	if err != nil {
+		return nil, fmt.Errorf("unable to catalog packages: %w", err)
 	}
 
-	s.Relationships = append(s.Relationships, mergeRelationships(relationships...)...)
+	s.Artifacts.PackageCatalog = packageCatalog
+	s.Artifacts.LinuxDistribution = theDistro
+	s.Relationships = relationships
+
+	return &s, nil
 }
 
 func sbomExecWorker(si source.Input, writer sbom.Writer) <-chan error {
@@ -229,7 +220,7 @@ func sbomExecWorker(si source.Input, writer sbom.Writer) <-chan error {
 			return
 		}
 
-		s, err := generateSBOM(src, errs)
+		s, err := generateSBOM(src)
 		if err != nil {
 			errs <- err
 			return
@@ -247,13 +238,3 @@ func sbomExecWorker(si source.Input, writer sbom.Writer) <-chan error {
 	}()
 	return errs
 }
-
-func mergeRelationships(cs ...<-chan artifact.Relationship) (relationships []artifact.Relationship) {
-	for _, c := range cs {
-		for n := range c {
-			relationships = append(relationships, n)
-		}
-	}
-
-	return relationships
-}

cmd/tasks.go

@@ -5,7 +5,6 @@ go 1.17
 require (
 	github.com/Microsoft/hcsshim v0.9.2 // indirect
 	github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d
-	github.com/adrg/xdg v0.2.1
 	github.com/anchore/stereoscope v0.0.0-20220307154759-8a5a70c227d3
 	github.com/anchore/syft v0.41.1
 	github.com/containerd/containerd v1.5.10 // indirect
@@ -16,7 +15,6 @@ require (
 	github.com/fvbommel/sortorder v1.0.2 // indirect
 	github.com/gookit/color v1.4.2
 	github.com/hashicorp/go-multierror v1.1.1
-	github.com/mitchellh/go-homedir v1.1.0
 	github.com/moby/sys/mount v0.3.0 // indirect
 	github.com/moby/term v0.0.0-20210619224110-3f7ff695adc6 // indirect
 	github.com/sirupsen/logrus v1.8.1
@@ -83,6 +81,7 @@ require (
 	github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect
 	github.com/mholt/archiver/v3 v3.5.1 // indirect
 	github.com/miekg/pkcs11 v1.1.1 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/hashstructure/v2 v2.0.2 // indirect
 	github.com/mitchellh/mapstructure v1.4.3 // indirect
 	github.com/moby/sys/mountinfo v0.5.0 // indirect

go.mod

@@ -240,7 +240,6 @@ github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d h1:licZJFw2RwpH
 github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d/go.mod h1:asat636LX7Bqt5lYEZ27JNDcqxfjdBQuJ/MM4CN/Lzo=
 github.com/acobaugh/osrelease v0.1.0 h1:Yb59HQDGGNhCj4suHaFQQfBps5wyoKLSSX/J/+UifRE=
 github.com/acobaugh/osrelease v0.1.0/go.mod h1:4bFEs0MtgHNHBrmHCt67gNisnabCRAlzdVasCEGHTWY=
-github.com/adrg/xdg v0.2.1 h1:VSVdnH7cQ7V+B33qSJHTCRlNgra1607Q8PzEmnvb2Ic=
 github.com/adrg/xdg v0.2.1/go.mod h1:ZuOshBmzV4Ta+s23hdfFZnBsdzmoR3US0d7ErpqSbTQ=
 github.com/afex/hystrix-go v0.0.0-20180502004556-fa1af6a1f4f5/go.mod h1:SkGFH1ia65gfNATL8TAiHDNxPzPdmEL5uirI2Uyuz6c=
 github.com/agiledragon/gomonkey v2.0.2+incompatible/go.mod h1:2NGfXu1a80LLr2cmWXGBDaHEjb1idR6+FVlX5T3D9hw=