Add handling of "local-registry"

Signed-off-by: C0D3 M4513R <[email protected]>
anchore · Jun 11, 2024 · a6569b5 · a6569b5
1 parent 0f8f724
commit a6569b5
Show file tree

Hide file tree

Showing 3 changed files with 62 additions and 31 deletions.
diff --git a/syft/format/internal/spdxutil/helpers/download_location.go b/syft/format/internal/spdxutil/helpers/download_location.go
@@ -25,8 +25,8 @@ func DownloadLocation(p pkg.Package) string {
 		case pkg.NpmPackageLockEntry:
 			return NoneIfEmpty(metadata.Resolved)
 		case pkg.RustCargoLockEntry:
-			var url, err = metadata.GetDownloadLink()
-			if err != nil {
+			var url, isLocal, err = metadata.GetDownloadLink()
+			if isLocal || err != nil {
 				return NOASSERTION
 			} else {
 				return NoneIfEmpty(url)

diff --git a/syft/pkg/cataloger/rust/repository.go b/syft/pkg/cataloger/rust/repository.go
@@ -12,6 +12,7 @@ import (
 	"github.com/go-git/go-git/v5/storage/memory"
 	"io"
 	"net/http"
+	"os"
 	"strings"
 )
 
@@ -26,6 +27,10 @@ type SourceId struct {
 	url  string
 }
 
+func (i *SourceId) IsLocalSource() bool {
+	return i.kind == SourceKindLocalRegistry
+}
+
 func GetSourceId(r *pkg.RustCargoLockEntry) (*SourceId, error) {
 	var before, after, found = strings.Cut(r.Source, "+")
 	if !found {
@@ -48,13 +53,29 @@ const (
 	SourceKindLocalDirectory = "directory"
 )
 
+const (
+	Crate          = "{crate}"
+	Version        = "{version}"
+	Prefix         = "{prefix}"
+	LowerPrefix    = "{lowerprefix}"
+	Sha256Checksum = "{sha256-checksum}"
+)
+
 var RegistryRepos = make(map[string]*memory.Storage)
 var RegistryConfig = make(map[string]RepositoryConfig)
 
 // RepositoryConfigName see https://github.com/rust-lang/cargo/blob/b134eff5cedcaa4879f60035d62630400e7fd543/src/cargo/sources/registry/mod.rs#L962
 const RepositoryConfigName = "config.json"
 
 func (i *SourceId) GetConfig() (*RepositoryConfig, error) {
+	if i.kind == SourceKindLocalRegistry {
+		//see https://github.com/rust-lang/cargo/blob/b134eff5cedcaa4879f60035d62630400e7fd543/src/cargo/sources/registry/local.rs#L14-L57
+		return &RepositoryConfig{
+			Download:     fmt.Sprintf("%s/%s-%s.crate", i.url, Crate, Version),
+			API:          "",
+			AuthRequired: false,
+		}, nil
+	}
 	if repoConfig, ok := RegistryConfig[i.url]; ok {
 		return &repoConfig, nil
 	}
@@ -74,6 +95,11 @@ func (i *SourceId) GetConfig() (*RepositoryConfig, error) {
 func (i *SourceId) GetPath(path string) ([]byte, error) {
 	var content []byte
 	switch i.kind {
+	case SourceKindLocalRegistry:
+		if path == RepositoryConfigName {
+			return nil, nil
+		}
+		return os.ReadFile(fmt.Sprintf("%s/index/%s", i.url, path))
 	case SourceKindSparse:
 		var resp, err = http.Get(fmt.Sprintf("%s/%s", i.url, path))
 		if err != nil {

diff --git a/syft/pkg/rust.go b/syft/pkg/rust.go
@@ -9,6 +9,7 @@ import (
 	"github.com/spdx/tools-golang/spdx"
 	"io"
 	"net/http"
+	"os"
 	"strings"
 )
 
@@ -49,59 +50,63 @@ func (r *RustCargoLockEntry) GetPrefix() string {
 	}
 }
 
-func (r *RustCargoLockEntry) GetDownloadLink() (string, error) {
-	var sourceId, err = rust.GetSourceId(r)
+func (r *RustCargoLockEntry) GetDownloadLink() (url string, isLocalFile bool, err error) {
+	sourceId, err := rust.GetSourceId(r)
 	if err != nil {
-		return "", err
+		return "", false, err
 	}
+	isLocalFile = sourceId.IsLocalSource()
 	var repoConfig *rust.RepositoryConfig = nil
 	repoConfig, err = sourceId.GetConfig()
 	if err != nil {
-		return "", err
+		return "", isLocalFile, err
 	}
-	return r.getDownloadLink(repoConfig.Download), err
+	return r.getDownloadLink(repoConfig.Download), isLocalFile, err
 }
 
 func (r *RustCargoLockEntry) getDownloadLink(url string) string {
-	const Crate = "{crate}"
-	const Version = "{version}"
-	const Prefix = "{prefix}"
-	const LowerPrefix = "{lowerprefix}"
-	const Sha256Checksum = "{sha256-checksum}"
-	if !strings.Contains(url, Crate) &&
-		!strings.Contains(url, Version) &&
-		!strings.Contains(url, Prefix) &&
-		!strings.Contains(url, LowerPrefix) &&
-		!strings.Contains(url, Sha256Checksum) {
+	if !strings.Contains(url, rust.Crate) &&
+		!strings.Contains(url, rust.Version) &&
+		!strings.Contains(url, rust.Prefix) &&
+		!strings.Contains(url, rust.LowerPrefix) &&
+		!strings.Contains(url, rust.Sha256Checksum) {
 		return url + fmt.Sprintf("/%s/%s/download", r.Name, r.Version)
 	}
 
 	var link = url
-	link = strings.ReplaceAll(link, Crate, r.Name)
-	link = strings.ReplaceAll(link, Version, r.Version)
-	link = strings.ReplaceAll(link, Prefix, r.GetPrefix())
-	link = strings.ReplaceAll(link, LowerPrefix, strings.ToLower(r.GetPrefix()))
-	link = strings.ReplaceAll(link, Sha256Checksum, r.Checksum)
+	link = strings.ReplaceAll(link, rust.Crate, r.Name)
+	link = strings.ReplaceAll(link, rust.Version, r.Version)
+	link = strings.ReplaceAll(link, rust.Prefix, r.GetPrefix())
+	link = strings.ReplaceAll(link, rust.LowerPrefix, strings.ToLower(r.GetPrefix()))
+	link = strings.ReplaceAll(link, rust.Sha256Checksum, r.Checksum)
 	return link
 }
 func (r *RustCargoLockEntry) GetIndexPath() string {
 	return fmt.Sprintf("%s/%s", strings.ToLower(r.GetPrefix()), strings.ToLower(r.Name))
 }
 func (r *RustCargoLockEntry) GetDownloadSha() []byte {
-	var link, err = r.GetDownloadLink()
-	if err != nil {
-		return nil
-	}
-	var resp *http.Response
-	resp, err = http.Get(link)
+	var link, isLocal, err = r.GetDownloadLink()
 	if err != nil {
 		return nil
 	}
 
 	var content []byte
-	content, err = io.ReadAll(resp.Body)
-	if err != nil {
-		return nil
+	if !isLocal {
+		var resp *http.Response
+		resp, err = http.Get(link)
+		if err != nil {
+			return nil
+		}
+
+		content, err = io.ReadAll(resp.Body)
+		if err != nil {
+			return nil
+		}
+	} else {
+		content, err = os.ReadFile(link)
+		if err != nil {
+			return nil
+		}
 	}
 
 	var hash = sha256.New().Sum(content)