-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(sbom): detect main OS and ignore pkgs for other OSes #6907
base: main
Are you sure you want to change the base?
fix(sbom): detect main OS and ignore pkgs for other OSes #6907
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think they are not orphan packages. They belong to another OS. Since we don't support multiple OSes, we should ignore them. What do you think?
hmm... you're probably right, but then we must maintain order in order to exclude uncertainty (I mean that every time we scan a file with multiple OSes, we should take only the first one found) |
Yes, we keep OSes as an array instead of picking up the first one, sort them somehow and pick up one of them deterministically. Lines 121 to 130 in f7720f5
|
We can take OS with the most related packages. |
Sounds good. But we must consider cases where several OSes have the same number of packages. |
|
pkg/fanal/types/package.go
Outdated
@@ -57,6 +57,7 @@ type PkgIdentifier struct { | |||
UID string `json:",omitempty"` // Calculated by the package struct | |||
PURL *packageurl.PackageURL `json:"-"` | |||
BOMRef string `json:",omitempty"` // For CycloneDX | |||
SPDXID string `json:",omitempty"` // For SPDX |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@knqyf263 wdyt about using BOMRef
for SPDXID
?
Name (I mean BOMRef
) can be confusing (because BOMRef
is field from CycloneDX
), but using two fields for similar fields is also wrong
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought about it again.
Using two same fields doesn't make sense and may lead to bugs.
So i used PkgIdentifier.BOMRef
for SPDXID
in 964f16a.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How about the case where the input is CycloneDX, and the output is SPDX? I'm concerned BOM-Ref is mistakenly used as SPDX-ID, as we are currently trying to reuse the same ID after #7340.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you are right. After #7340 it can be problem.
I thought about adding SPDXID
field (68abc78)
But it looks as bad way.
What if we will use struct with type + ref/ID. e.g.:
type BomID struct {
ID string // UUID/purl/SPDXID
Type BomType // cyclonedx/spdx
}
If BomID.Type == outputType => save ID, otherwise - create new ID.
@@ -66,6 +66,7 @@ func TestUnmarshaler_Unmarshal(t *testing.T) { | |||
}, | |||
}, | |||
}, | |||
BOMRef: "Package-b7ebaf0233f1ef7b", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
github.com/spdx/tools-golang
returns Package SPDX identifier
without SPDXRef-
prefix.
On the one hand, docs say: "SPDXRef-"[idstring] where [idstring] is a unique string containing letters, numbers, ., and/or -.
(https://spdx.github.io/spdx-spec/v2.3/package-information/#72-package-spdx-identifier-field). So id is text after SPDXRef-
.
On the other hand, BOMRef
will not match string from SPDXID
field.
This PR is stale because it has been labeled with inactivity. |
This PR is stale because it has been labeled with inactivity. |
Description
Trivy doesn't currently support multiple OSes.
To avoid flaky packages - we need to sort found OS and select only one of them (packages for other OS should be ignored).
Sorting order:
example flaky pkgs (nginx-helm.json file(see #5812 (comment)):
New Field
This PR adds new
SPDXID
field for Package.Identifier.We populate this field from
SPDX
files, similar toBOMRef
forCycloneDX
files.Related issues
Checklist