Add support for application-level component support in containers

Key changes:
- Add IArtifactComponentFactory interface with implementations for Linux, npm, and pip components
- Add IArtifactFilter interface with Mariner2ArtifactFilter to handle distro-specific artifact filtering
- Refactor LinuxScanner to use factories and filters via dependency injection
- Rename LinuxComponents to Components in LayerMappedLinuxComponents for generic support
- Update telemetry to track component types alongside names and versions
- Add test coverage for multi-type artifact scanning

Author: JamieMagee

src/Microsoft.ComponentDetection.Contracts/BcdeModels/LayerMappedLinuxComponents.cs

@@ -1,11 +1,24 @@
 namespace Microsoft.ComponentDetection.Contracts.BcdeModels;
 
+using System;
 using System.Collections.Generic;
+using System.Linq;
 using Microsoft.ComponentDetection.Contracts.TypedComponent;
 
+/// <summary>
+/// Represents a mapping between a Docker layer and the components detected within that layer.
+/// This class associates components (both Linux system packages and application-level packages) with their corresponding Docker layer.
+/// </summary>
 public class LayerMappedLinuxComponents
 {
-    public IEnumerable<LinuxComponent> LinuxComponents { get; set; }
+    /// <summary>
+    /// Gets or sets the components detected in this layer.
+    /// This can include system packages (LinuxComponent) as well as application-level packages (NpmComponent, PipComponent, etc.).
+    /// </summary>
+    public IEnumerable<TypedComponent> Components { get; set; }
 
+    /// <summary>
+    /// Gets or sets the Docker layer associated with these components.
+    /// </summary>
     public DockerLayer DockerLayer { get; set; }
 }

src/Microsoft.ComponentDetection.Detectors/linux/Contracts/ImageScanningResult.cs

@@ -4,9 +4,18 @@ namespace Microsoft.ComponentDetection.Detectors.Linux.Contracts;
 using Microsoft.ComponentDetection.Contracts;
 using Microsoft.ComponentDetection.Contracts.BcdeModels;
 
+/// <summary>
+/// Represents the result of scanning a container image for components.
+/// </summary>
 internal class ImageScanningResult
 {
+    /// <summary>
+    /// Gets or sets the container details associated with the image scanning result.
+    /// </summary>
     public ContainerDetails ContainerDetails { get; set; }
 
+    /// <summary>
+    /// Gets or sets the collection of components detected during the image scanning process.
+    /// </summary>
     public IEnumerable<DetectedComponent> Components { get; set; }
 }

src/Microsoft.ComponentDetection.Detectors/linux/Exceptions/MissingContainerDetailException.cs

@@ -2,17 +2,32 @@ namespace Microsoft.ComponentDetection.Detectors.Linux.Exceptions;
 
 using System;
 
+/// <summary>
+/// Exception thrown when container details information cannot be found for a specified image.
+/// </summary>
 public class MissingContainerDetailException : Exception
 {
+    /// <summary>
+    /// Initializes a new instance of the <see cref="MissingContainerDetailException"/> class with the specified image ID.
+    /// </summary>
+    /// <param name="imageId">The ID of the container image for which details could not be found.</param>
     public MissingContainerDetailException(string imageId)
-        : base($"No container details information could be found for image ${imageId}")
+        : base($"No container details information could be found for image {imageId}")
     {
     }
 
+    /// <summary>
+    /// Initializes a new instance of the <see cref="MissingContainerDetailException"/> class.
+    /// </summary>
     public MissingContainerDetailException()
     {
     }
 
+    /// <summary>
+    /// Initializes a new instance of the <see cref="MissingContainerDetailException"/> class with a specified error message and a reference to the inner exception that is the cause of this exception.
+    /// </summary>
+    /// <param name="message">The error message that explains the reason for the exception.</param>
+    /// <param name="innerException">The exception that is the cause of the current exception, or a null reference if no inner exception is specified.</param>
     public MissingContainerDetailException(string message, Exception innerException)
         : base(message, innerException)
     {

src/Microsoft.ComponentDetection.Detectors/linux/Factories/ArtifactComponentFactoryBase.cs

@@ -0,0 +1,65 @@
+namespace Microsoft.ComponentDetection.Detectors.Linux.Factories;
+
+using System.Collections.Generic;
+using System.Linq;
+using Microsoft.ComponentDetection.Contracts.TypedComponent;
+using Microsoft.ComponentDetection.Detectors.Linux.Contracts;
+
+/// <summary>
+/// Abstract base class for artifact component factories that provides common functionality
+/// for extracting license and author information from Syft artifacts.
+/// </summary>
+public abstract class ArtifactComponentFactoryBase : IArtifactComponentFactory
+{
+    /// <inheritdoc/>
+    public abstract IEnumerable<string> SupportedArtifactTypes { get; }
+
+    /// <inheritdoc/>
+    public abstract TypedComponent CreateComponent(ArtifactElement artifact, Distro distro);
+
+    /// <summary>
+    /// Extracts license information from the artifact, checking both metadata and top-level licenses array.
+    /// </summary>
+    /// <param name="artifact">The artifact element from Syft output.</param>
+    /// <returns>A comma-separated string of license values, or null if no licenses are found.</returns>
+    protected static string GetLicenseFromArtifact(ArtifactElement artifact)
+    {
+        // First try metadata.License which may be a string
+        var license = artifact.Metadata?.License?.String;
+        if (license != null)
+        {
+            return license;
+        }
+
+        // Fall back to top-level Licenses array
+        var licenses = artifact.Licenses;
+        if (licenses != null && licenses.Length != 0)
+        {
+            return string.Join(", ", licenses.Select(l => l.Value));
+        }
+
+        return null;
+    }
+
+    /// <summary>
+    /// Extracts author information from the artifact metadata, checking both Author and Maintainer fields.
+    /// </summary>
+    /// <param name="artifact">The artifact element from Syft output.</param>
+    /// <returns>The author or maintainer string, or null if neither is found.</returns>
+    protected static string GetAuthorFromArtifact(ArtifactElement artifact)
+    {
+        var author = artifact.Metadata?.Author;
+        if (!string.IsNullOrEmpty(author))
+        {
+            return author;
+        }
+
+        var maintainer = artifact.Metadata?.Maintainer;
+        if (!string.IsNullOrEmpty(maintainer))
+        {
+            return maintainer;
+        }
+
+        return null;
+    }
+}

src/Microsoft.ComponentDetection.Detectors/linux/Factories/IArtifactComponentFactory.cs

@@ -0,0 +1,24 @@
+namespace Microsoft.ComponentDetection.Detectors.Linux.Factories;
+
+using System.Collections.Generic;
+using Microsoft.ComponentDetection.Contracts.TypedComponent;
+using Microsoft.ComponentDetection.Detectors.Linux.Contracts;
+
+/// <summary>
+/// Factory interface for creating TypedComponent instances from Syft artifacts.
+/// </summary>
+public interface IArtifactComponentFactory
+{
+    /// <summary>
+    /// Gets the artifact types (e.g., "npm", "apk", "deb") that this factory can handle.
+    /// </summary>
+    public IEnumerable<string> SupportedArtifactTypes { get; }
+
+    /// <summary>
+    /// Creates a TypedComponent from a Syft artifact element.
+    /// </summary>
+    /// <param name="artifact">The artifact element from Syft output.</param>
+    /// <param name="distro">The distribution information from Syft output.</param>
+    /// <returns>A TypedComponent instance, or null if the artifact cannot be processed.</returns>
+    public TypedComponent CreateComponent(ArtifactElement artifact, Distro distro);
+}

src/Microsoft.ComponentDetection.Detectors/linux/Factories/LinuxComponentFactory.cs

@@ -0,0 +1,39 @@
+namespace Microsoft.ComponentDetection.Detectors.Linux.Factories;
+
+using System.Collections.Generic;
+using Microsoft.ComponentDetection.Contracts.TypedComponent;
+using Microsoft.ComponentDetection.Detectors.Linux.Contracts;
+
+/// <summary>
+/// Factory for creating LinuxComponent instances from system package artifacts (apk, deb, rpm).
+/// </summary>
+public class LinuxComponentFactory : ArtifactComponentFactoryBase
+{
+    /// <inheritdoc/>
+    public override IEnumerable<string> SupportedArtifactTypes => ["apk", "deb", "rpm"];
+
+    /// <inheritdoc/>
+    public override TypedComponent CreateComponent(ArtifactElement artifact, Distro distro)
+    {
+        if (artifact == null || distro == null)
+        {
+            return null;
+        }
+
+        if (string.IsNullOrWhiteSpace(artifact.Name) || string.IsNullOrWhiteSpace(artifact.Version))
+        {
+            return null;
+        }
+
+        var license = GetLicenseFromArtifact(artifact);
+        var supplier = GetAuthorFromArtifact(artifact);
+
+        return new LinuxComponent(
+            distribution: distro.Id,
+            release: distro.VersionId,
+            name: artifact.Name,
+            version: artifact.Version,
+            license: license,
+            author: supplier);
+    }
+}

src/Microsoft.ComponentDetection.Detectors/linux/Factories/NpmComponentFactory.cs

@@ -0,0 +1,59 @@
+namespace Microsoft.ComponentDetection.Detectors.Linux.Factories;
+
+using System.Collections.Generic;
+using Microsoft.ComponentDetection.Contracts.Internal;
+using Microsoft.ComponentDetection.Contracts.TypedComponent;
+using Microsoft.ComponentDetection.Detectors.Linux.Contracts;
+
+/// <summary>
+/// Factory for creating NpmComponent instances from npm package artifacts.
+/// </summary>
+public class NpmComponentFactory : ArtifactComponentFactoryBase
+{
+    /// <inheritdoc/>
+    public override IEnumerable<string> SupportedArtifactTypes => ["npm"];
+
+    /// <inheritdoc/>
+    public override TypedComponent CreateComponent(ArtifactElement artifact, Distro distro)
+    {
+        if (artifact == null)
+        {
+            return null;
+        }
+
+        if (string.IsNullOrWhiteSpace(artifact.Name) || string.IsNullOrWhiteSpace(artifact.Version))
+        {
+            return null;
+        }
+
+        var author = GetNpmAuthorFromArtifact(artifact);
+        var hash = GetHashFromArtifact(artifact);
+
+        return new NpmComponent(
+            name: artifact.Name,
+            version: artifact.Version,
+            hash: hash,
+            author: author);
+    }
+
+    private static NpmAuthor GetNpmAuthorFromArtifact(ArtifactElement artifact)
+    {
+        var authorString = artifact.Metadata?.Author;
+        if (!string.IsNullOrWhiteSpace(authorString))
+        {
+            return new NpmAuthor(authorString);
+        }
+
+        return null;
+    }
+
+    private static string GetHashFromArtifact(ArtifactElement artifact)
+    {
+        if (!string.IsNullOrWhiteSpace(artifact.Metadata?.Integrity))
+        {
+            return artifact.Metadata.Integrity;
+        }
+
+        return null;
+    }
+}

src/Microsoft.ComponentDetection.Detectors/linux/Factories/PipComponentFactory.cs

@@ -0,0 +1,37 @@
+namespace Microsoft.ComponentDetection.Detectors.Linux.Factories;
+
+using System.Collections.Generic;
+using Microsoft.ComponentDetection.Contracts.TypedComponent;
+using Microsoft.ComponentDetection.Detectors.Linux.Contracts;
+
+/// <summary>
+/// Factory for creating PipComponent instances from Python package artifacts.
+/// </summary>
+public class PipComponentFactory : ArtifactComponentFactoryBase
+{
+    /// <inheritdoc/>
+    public override IEnumerable<string> SupportedArtifactTypes => ["python"];
+
+    /// <inheritdoc/>
+    public override TypedComponent CreateComponent(ArtifactElement artifact, Distro distro)
+    {
+        if (artifact == null)
+        {
+            return null;
+        }
+
+        if (string.IsNullOrWhiteSpace(artifact.Name) || string.IsNullOrWhiteSpace(artifact.Version))
+        {
+            return null;
+        }
+
+        var author = GetAuthorFromArtifact(artifact);
+        var license = GetLicenseFromArtifact(artifact);
+
+        return new PipComponent(
+            name: artifact.Name,
+            version: artifact.Version,
+            author: author,
+            license: license);
+    }
+}

src/Microsoft.ComponentDetection.Detectors/linux/Filters/IArtifactFilter.cs

@@ -0,0 +1,19 @@
+namespace Microsoft.ComponentDetection.Detectors.Linux.Filters;
+
+using System.Collections.Generic;
+using Microsoft.ComponentDetection.Detectors.Linux.Contracts;
+
+/// <summary>
+/// Interface for filtering or transforming Syft artifacts before component creation.
+/// Useful for handling distribution-specific workarounds or edge cases.
+/// </summary>
+public interface IArtifactFilter
+{
+    /// <summary>
+    /// Filters the provided artifacts and returns the filtered collection.
+    /// </summary>
+    /// <param name="artifacts">The artifacts to filter.</param>
+    /// <param name="distro">The distribution information from Syft output.</param>
+    /// <returns>The filtered collection of artifacts.</returns>
+    public IEnumerable<ArtifactElement> Filter(IEnumerable<ArtifactElement> artifacts, Distro distro);
+}

src/Microsoft.ComponentDetection.Detectors/linux/Filters/Mariner2ArtifactFilter.cs

@@ -0,0 +1,58 @@
+namespace Microsoft.ComponentDetection.Detectors.Linux.Filters;
+
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using Microsoft.ComponentDetection.Common.Telemetry.Records;
+using Microsoft.ComponentDetection.Detectors.Linux.Contracts;
+using Newtonsoft.Json;
+
+/// <summary>
+/// Filters out invalid ELF binary packages from Mariner 2.0 images that lack proper release/epoch version fields.
+/// This workaround addresses an issue where Syft's elf-binary-package-cataloger detects packages without complete
+/// version information. The issue was fixed in Azure Linux 3.0 (https://github.com/microsoft/azurelinux/pull/10405),
+/// but Mariner 2.0 no longer receives non-security updates and will be deprecated in July 2025.
+/// Related Syft PR: https://github.com/anchore/syft/pull/3008.
+/// </summary>
+public class Mariner2ArtifactFilter : IArtifactFilter
+{
+    /// <inheritdoc/>
+    public IEnumerable<ArtifactElement> Filter(IEnumerable<ArtifactElement> artifacts, Distro distro)
+    {
+        if (artifacts == null || distro == null)
+        {
+            return artifacts ?? [];
+        }
+
+        // Only apply this filter to Mariner 2.0
+        if (distro.Id != "mariner" || distro.VersionId != "2.0")
+        {
+            return artifacts;
+        }
+
+        using var syftTelemetryRecord = new LinuxScannerSyftTelemetryRecord();
+
+        var artifactsList = artifacts.ToList();
+
+        // Find ELF packages that lack release version (indicated by missing dash in version string)
+        var elfVersionsWithoutRelease = artifactsList
+            .Where(artifact =>
+                artifact.FoundBy == "elf-binary-package-cataloger" && // Specific cataloger with invalid results
+                !artifact.Version.Contains('-', StringComparison.OrdinalIgnoreCase)) // Missing release version
+            .ToList();
+
+        if (elfVersionsWithoutRelease.Count > 0)
+        {
+            var removedComponents = new List<string>();
+            foreach (var elfArtifact in elfVersionsWithoutRelease)
+            {
+                removedComponents.Add($"{elfArtifact.Name} {elfArtifact.Version}");
+                artifactsList.Remove(elfArtifact);
+            }
+
+            syftTelemetryRecord.Mariner2ComponentsRemoved = JsonConvert.SerializeObject(removedComponents);
+        }
+
+        return artifactsList;
+    }
+}