Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(sbom): detect OS from purl if OS component not found #7101

Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

fix(sbom): detect OS from purl if OS component not found #7101

wants to merge 9 commits into from

Conversation

DmitriyLewen
Copy link
Contributor

Description

There are cases when SBOM file doesn't contain OS component.
To avoid missing OS packages -we can try to get OS from purl.
More details - #7073 (reply in thread)

Related issues

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@DmitriyLewen DmitriyLewen self-assigned this Jul 5, 2024
@DmitriyLewen DmitriyLewen marked this pull request as ready for review July 5, 2024 08:08
DmitriyLewen
DmitriyLewen commented Jul 5, 2024
View reviewed changes
pkg/sbom/io/decode.go
}
return s
})
return xerrors.Errorf("multiple OSes in SBOM are not supported (%q)", oses)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought about it.
We can leave this error.

But if we get problems about this - we will update the logic to get the OS (from purl) with the maximum number of packages.

@eshafaq1
Copy link

@DmitriyLewen thank you for creating this PR, I too am seeing a lot of warnings when scanning wolfi images.

Question unrelated to PR: For these warning you mention in discussions/7073, is Trivy unable to scan the packages in the image therefore being unable to report accurate vulnerability info for Wolfi images?

@DmitriyLewen
Copy link
Contributor Author

Hello @eshafaq1

is Trivy unable to scan the packages in the image therefore being unable to report accurate vulnerability info for Wolfi images?

Trivy detects the following packages from wolfi images:

  1. apk packages obtained from lib/apk/db/installed file (default way to detect apk packages)
  2. packages from SBOM files (this PR for these packages).

IIUC packages from p1 and p2 is same (duplicates).
So you shouldn't have problem, because Trivy correctly detectы vulnerabilities for packages from p1.

@eshafaq1
Copy link

eshafaq1 commented Aug 8, 2024

Hopefully @knqyf263 can get some time to review :)

@DmitriyLewen DmitriyLewen mentioned this pull request Sep 2, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@knqyf263 knqyf263 Awaiting requested review from knqyf263 knqyf263 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@DmitriyLewen DmitriyLewen

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

fix(sbom): detect OS from purl if OS component not found
2 participants
@DmitriyLewen @eshafaq1