Add support for application-level component support in containers (#1529)

* Add support for application-level component support in containers

Key changes:
- Add IArtifactComponentFactory interface with implementations for Linux, npm, and pip components
- Add IArtifactFilter interface with Mariner2ArtifactFilter to handle distro-specific artifact filtering
- Refactor LinuxScanner to use factories and filters via dependency injection
- Rename LinuxComponents to Components in LayerMappedLinuxComponents for generic support
- Update telemetry to track component types alongside names and versions
- Add test coverage for multi-type artifact scanning

* PR comments

* Update src/Microsoft.ComponentDetection.Detectors/linux/Filters/Mariner2ArtifactFilter.cs

Co-authored-by: Julian <[email protected]>

* PR review comment changes

---------

Co-authored-by: Julian <[email protected]>

Author: JamieMagee

src/Microsoft.ComponentDetection.Common/Telemetry/Records/LinuxScannerSyftTelemetryRecord.cs

@@ -4,9 +4,9 @@ public class LinuxScannerSyftTelemetryRecord : BaseDetectionTelemetryRecord
 {
     public override string RecordName => "LinuxScannerSyftTelemetry";
 
-    public string LinuxComponents { get; set; }
+    public string Components { get; set; }
 
     public string Exception { get; set; }
 
-    public string Mariner2ComponentsRemoved { get; set; }
+    public string ComponentsRemoved { get; set; }
 }

src/Microsoft.ComponentDetection.Contracts/BcdeModels/LayerMappedLinuxComponents.cs

@@ -3,9 +3,20 @@ namespace Microsoft.ComponentDetection.Contracts.BcdeModels;
 using System.Collections.Generic;
 using Microsoft.ComponentDetection.Contracts.TypedComponent;
 
+/// <summary>
+/// Represents a mapping between a Docker layer and the components detected within that layer.
+/// This class associates components (both Linux system packages and application-level packages) with their corresponding Docker layer.
+/// </summary>
 public class LayerMappedLinuxComponents
 {
-    public IEnumerable<LinuxComponent> LinuxComponents { get; set; }
+    /// <summary>
+    /// Gets or sets the components detected in this layer.
+    /// This can include system packages (LinuxComponent) as well as application-level packages (NpmComponent, PipComponent, etc.).
+    /// </summary>
+    public IEnumerable<TypedComponent> Components { get; set; }
 
+    /// <summary>
+    /// Gets or sets the Docker layer associated with these components.
+    /// </summary>
     public DockerLayer DockerLayer { get; set; }
 }

src/Microsoft.ComponentDetection.Detectors/linux/Contracts/ImageScanningResult.cs

@@ -4,9 +4,18 @@ namespace Microsoft.ComponentDetection.Detectors.Linux.Contracts;
 using Microsoft.ComponentDetection.Contracts;
 using Microsoft.ComponentDetection.Contracts.BcdeModels;
 
+/// <summary>
+/// Represents the result of scanning a container image for components.
+/// </summary>
 internal class ImageScanningResult
 {
+    /// <summary>
+    /// Gets or sets the container details associated with the image scanning result.
+    /// </summary>
     public ContainerDetails ContainerDetails { get; set; }
 
+    /// <summary>
+    /// Gets or sets the collection of components detected during the image scanning process.
+    /// </summary>
     public IEnumerable<DetectedComponent> Components { get; set; }
 }

src/Microsoft.ComponentDetection.Detectors/linux/Exceptions/MissingContainerDetailException.cs

@@ -2,17 +2,32 @@ namespace Microsoft.ComponentDetection.Detectors.Linux.Exceptions;
 
 using System;
 
+/// <summary>
+/// Exception thrown when container details information cannot be found for a specified image.
+/// </summary>
 public class MissingContainerDetailException : Exception
 {
+    /// <summary>
+    /// Initializes a new instance of the <see cref="MissingContainerDetailException"/> class with the specified image ID.
+    /// </summary>
+    /// <param name="imageId">The ID of the container image for which details could not be found.</param>
     public MissingContainerDetailException(string imageId)
-        : base($"No container details information could be found for image ${imageId}")
+        : base($"No container details information could be found for image {imageId}")
     {
     }
 
+    /// <summary>
+    /// Initializes a new instance of the <see cref="MissingContainerDetailException"/> class.
+    /// </summary>
     public MissingContainerDetailException()
     {
     }
 
+    /// <summary>
+    /// Initializes a new instance of the <see cref="MissingContainerDetailException"/> class with a specified error message and a reference to the inner exception that is the cause of this exception.
+    /// </summary>
+    /// <param name="message">The error message that explains the reason for the exception.</param>
+    /// <param name="innerException">The exception that is the cause of the current exception, or a null reference if no inner exception is specified.</param>
     public MissingContainerDetailException(string message, Exception innerException)
         : base(message, innerException)
     {

src/Microsoft.ComponentDetection.Detectors/linux/Factories/ArtifactComponentFactoryBase.cs

@@ -0,0 +1,65 @@
+namespace Microsoft.ComponentDetection.Detectors.Linux.Factories;
+
+using System.Collections.Generic;
+using System.Linq;
+using Microsoft.ComponentDetection.Contracts.TypedComponent;
+using Microsoft.ComponentDetection.Detectors.Linux.Contracts;
+
+/// <summary>
+/// Abstract base class for artifact component factories that provides common functionality
+/// for extracting license and author information from Syft artifacts.
+/// </summary>
+public abstract class ArtifactComponentFactoryBase : IArtifactComponentFactory
+{
+    /// <inheritdoc/>
+    public abstract IEnumerable<string> SupportedArtifactTypes { get; }
+
+    /// <inheritdoc/>
+    public abstract TypedComponent CreateComponent(ArtifactElement artifact, Distro distro);
+
+    /// <summary>
+    /// Extracts license information from the artifact, checking both metadata and top-level licenses array.
+    /// </summary>
+    /// <param name="artifact">The artifact element from Syft output.</param>
+    /// <returns>A comma-separated string of license values, or null if no licenses are found.</returns>
+    protected static string GetLicenseFromArtifact(ArtifactElement artifact)
+    {
+        // First try metadata.License which may be a string
+        var license = artifact.Metadata?.License?.String;
+        if (license != null)
+        {
+            return license;
+        }
+
+        // Fall back to top-level Licenses array
+        var licenses = artifact.Licenses;
+        if (licenses != null && licenses.Length != 0)
+        {
+            return string.Join(", ", licenses.Select(l => l.Value));
+        }
+
+        return null;
+    }
+
+    /// <summary>
+    /// Extracts author information from the artifact metadata, checking both Author and Maintainer fields.
+    /// </summary>
+    /// <param name="artifact">The artifact element from Syft output.</param>
+    /// <returns>The author or maintainer string, or null if neither is found.</returns>
+    protected static string GetAuthorFromArtifact(ArtifactElement artifact)
+    {
+        var author = artifact.Metadata?.Author;
+        if (!string.IsNullOrEmpty(author))
+        {
+            return author;
+        }
+
+        var maintainer = artifact.Metadata?.Maintainer;
+        if (!string.IsNullOrEmpty(maintainer))
+        {
+            return maintainer;
+        }
+
+        return null;
+    }
+}

src/Microsoft.ComponentDetection.Detectors/linux/Factories/IArtifactComponentFactory.cs

@@ -0,0 +1,28 @@
+namespace Microsoft.ComponentDetection.Detectors.Linux.Factories;
+
+using System.Collections.Generic;
+using Microsoft.ComponentDetection.Contracts.TypedComponent;
+using Microsoft.ComponentDetection.Detectors.Linux.Contracts;
+
+/// <summary>
+/// Factory interface for creating TypedComponent instances from Syft artifacts.
+/// </summary>
+public interface IArtifactComponentFactory
+{
+    /// <summary>
+    /// Gets the artifact types (e.g., "npm", "apk", "deb") that this factory can handle.
+    /// </summary>
+    /// <remarks>
+    /// For a complete list of Syft artifact types, see:
+    /// https://github.com/anchore/syft/blob/main/syft/pkg/type.go.
+    /// </remarks>
+    public IEnumerable<string> SupportedArtifactTypes { get; }
+
+    /// <summary>
+    /// Creates a TypedComponent from a Syft artifact element.
+    /// </summary>
+    /// <param name="artifact">The artifact element from Syft output.</param>
+    /// <param name="distro">The distribution information from Syft output.</param>
+    /// <returns>A TypedComponent instance, or null if the artifact cannot be processed.</returns>
+    public TypedComponent CreateComponent(ArtifactElement artifact, Distro distro);
+}

src/Microsoft.ComponentDetection.Detectors/linux/Factories/LinuxComponentFactory.cs

@@ -0,0 +1,39 @@
+namespace Microsoft.ComponentDetection.Detectors.Linux.Factories;
+
+using System.Collections.Generic;
+using Microsoft.ComponentDetection.Contracts.TypedComponent;
+using Microsoft.ComponentDetection.Detectors.Linux.Contracts;
+
+/// <summary>
+/// Factory for creating <see cref="LinuxComponent"/> instances from system package artifacts (apk, deb, rpm).
+/// </summary>
+public class LinuxComponentFactory : ArtifactComponentFactoryBase
+{
+    /// <inheritdoc/>
+    public override IEnumerable<string> SupportedArtifactTypes => ["apk", "deb", "rpm"];
+
+    /// <inheritdoc/>
+    public override TypedComponent CreateComponent(ArtifactElement artifact, Distro distro)
+    {
+        if (artifact == null || distro == null)
+        {
+            return null;
+        }
+
+        if (string.IsNullOrWhiteSpace(artifact.Name) || string.IsNullOrWhiteSpace(artifact.Version))
+        {
+            return null;
+        }
+
+        var license = GetLicenseFromArtifact(artifact);
+        var supplier = GetAuthorFromArtifact(artifact);
+
+        return new LinuxComponent(
+            distribution: distro.Id,
+            release: distro.VersionId,
+            name: artifact.Name,
+            version: artifact.Version,
+            license: license,
+            author: supplier);
+    }
+}

src/Microsoft.ComponentDetection.Detectors/linux/Factories/NpmComponentFactory.cs

@@ -0,0 +1,59 @@
+namespace Microsoft.ComponentDetection.Detectors.Linux.Factories;
+
+using System.Collections.Generic;
+using Microsoft.ComponentDetection.Contracts.Internal;
+using Microsoft.ComponentDetection.Contracts.TypedComponent;
+using Microsoft.ComponentDetection.Detectors.Linux.Contracts;
+
+/// <summary>
+/// Factory for creating <see cref="NpmComponent"/> instances from npm package artifacts.
+/// </summary>
+public class NpmComponentFactory : ArtifactComponentFactoryBase
+{
+    /// <inheritdoc/>
+    public override IEnumerable<string> SupportedArtifactTypes => ["npm"];
+
+    /// <inheritdoc/>
+    public override TypedComponent CreateComponent(ArtifactElement artifact, Distro distro)
+    {
+        if (artifact == null)
+        {
+            return null;
+        }
+
+        if (string.IsNullOrWhiteSpace(artifact.Name) || string.IsNullOrWhiteSpace(artifact.Version))
+        {
+            return null;
+        }
+
+        var author = GetNpmAuthorFromArtifact(artifact);
+        var hash = GetHashFromArtifact(artifact);
+
+        return new NpmComponent(
+            name: artifact.Name,
+            version: artifact.Version,
+            hash: hash,
+            author: author);
+    }
+
+    private static NpmAuthor GetNpmAuthorFromArtifact(ArtifactElement artifact)
+    {
+        var authorString = artifact.Metadata?.Author;
+        if (!string.IsNullOrWhiteSpace(authorString))
+        {
+            return new NpmAuthor(authorString);
+        }
+
+        return null;
+    }
+
+    private static string GetHashFromArtifact(ArtifactElement artifact)
+    {
+        if (!string.IsNullOrWhiteSpace(artifact.Metadata?.Integrity))
+        {
+            return artifact.Metadata.Integrity;
+        }
+
+        return null;
+    }
+}

src/Microsoft.ComponentDetection.Detectors/linux/Factories/PipComponentFactory.cs

@@ -0,0 +1,37 @@
+namespace Microsoft.ComponentDetection.Detectors.Linux.Factories;
+
+using System.Collections.Generic;
+using Microsoft.ComponentDetection.Contracts.TypedComponent;
+using Microsoft.ComponentDetection.Detectors.Linux.Contracts;
+
+/// <summary>
+/// Factory for creating <see cref="PipComponent"/> instances from Python package artifacts.
+/// </summary>
+public class PipComponentFactory : ArtifactComponentFactoryBase
+{
+    /// <inheritdoc/>
+    public override IEnumerable<string> SupportedArtifactTypes => ["python"];
+
+    /// <inheritdoc/>
+    public override TypedComponent CreateComponent(ArtifactElement artifact, Distro distro)
+    {
+        if (artifact == null)
+        {
+            return null;
+        }
+
+        if (string.IsNullOrWhiteSpace(artifact.Name) || string.IsNullOrWhiteSpace(artifact.Version))
+        {
+            return null;
+        }
+
+        var author = GetAuthorFromArtifact(artifact);
+        var license = GetLicenseFromArtifact(artifact);
+
+        return new PipComponent(
+            name: artifact.Name,
+            version: artifact.Version,
+            author: author,
+            license: license);
+    }
+}

src/Microsoft.ComponentDetection.Detectors/linux/Filters/IArtifactFilter.cs

@@ -0,0 +1,19 @@
+namespace Microsoft.ComponentDetection.Detectors.Linux.Filters;
+
+using System.Collections.Generic;
+using Microsoft.ComponentDetection.Detectors.Linux.Contracts;
+
+/// <summary>
+/// Interface for filtering or transforming Syft artifacts before component creation.
+/// Useful for handling distribution-specific workarounds or edge cases.
+/// </summary>
+public interface IArtifactFilter
+{
+    /// <summary>
+    /// Filters the provided artifacts and returns the filtered collection.
+    /// </summary>
+    /// <param name="artifacts">The artifacts to filter.</param>
+    /// <param name="distro">The distribution information from Syft output.</param>
+    /// <returns>The filtered collection of artifacts.</returns>
+    public IEnumerable<ArtifactElement> Filter(IEnumerable<ArtifactElement> artifacts, Distro distro);
+}