-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(sbom): export bom-ref when converting a package to a component #7340
base: main
Are you sure you want to change the base?
Conversation
pkg/sbom/cyclonedx/marshal_test.go
Outdated
@@ -1607,7 +1607,7 @@ func TestMarshaler_MarshalReport(t *testing.T) { | |||
Updated: "2022-12-20T10:15:00+00:00", | |||
Affects: &[]cdx.Affects{ | |||
{ | |||
Ref: "pkg:maven/com.fasterxml.jackson.core/[email protected]", | |||
Ref: "pkg:maven/com.fasterxml.jackson.core/[email protected]?file_path=jackson-databind-2.13.4.1.jar", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We don't include file paths in PURL anymore. If it remains somewhere, it should be deleted.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok, I'm removing it
amf seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account. You have signed the CLA already but the status is still pending? Let us recheck it. |
We should add a new test to ensure original BOM-Refs are kept as-is. In the existing test, the input is SBOM, but the output is Trivy JSON. trivy/integration/sbom_test.go Lines 51 to 59 in 6a72dd4
|
The testcase is added now. |
integration/sbom_test.go
Outdated
{ | ||
name: "scan SBOM into SBOM", | ||
args: args{ | ||
input: "testdata/fixtures/sbom/pywin32-cyclonedx.json", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we re-use the existing json, fluentd-multiple-lockfiles-cyclonedx.json
? You can change this file to use UUID in BOM-Ref.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the testcase is updated fluentd-multiple-lockfiles-cyclonedx.json
.
I wanted to use fluentd-multiple-lockfiles.cdx.json.golden
also, but this cdx result is a large, because it's result for fluentd-multiple-lockfiles.tar.gz
. fluentd-multiple-lockfiles-cyclonedx.json
is shorter.
so I've created a new golden file.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@afdesk I may have found another issue (maybe for another PR):
File iD0PiatU
contains 2 same packages with different BOMRefs.
Should we show 2 BOMrefs in affects
array:
something like that:
"affects": [
{
"ref": "pkg:pypi/pywin32@227",
"versions": [
{
"version": "227",
"status": "affected"
}
]
}
{
"ref": "de3ojve0eoj0j0je",
"versions": [
{
"version": "227",
"status": "affected"
}
]
}
]
"bom-ref": "3ff14136-e09f-4df9-80ea-000000000006", | ||
"type": "operating-system", | ||
"name": "debian", | ||
"version": "10.2", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
input and output bomrefs for OS are not equial:
trivy/integration/testdata/fixtures/sbom/fluentd-multiple-lockfiles-cyclonedx.json
Lines 107 to 110 in bfdf5cf
"bom-ref": "353f2470-9c8b-4647-9d0d-96d893838dc8", | |
"type": "operating-system", | |
"name": "debian", | |
"version": "10.2", |
Now Trivy builds new SBOM components from the result: Line 260 in 98e136e
to keep existing BOM-refs we should look for this one (if report.BOM != nil) by name and save it. if we don't want to use this logic I can see 2 options:
@knqyf263 @DmitriyLewen wdyt? thanks |
I think we can try to use this way. Lines 120 to 136 in 98e136e
Do you mean BOMrefs for #2? Lines 160 to 173 in 98e136e
I am not sure about this. |
yes, for |
@DmitriyLewen could you take a look? thanks |
pkg/sbom/cyclonedx/unmarshal.go
Outdated
if c.PackageURL != "" { | ||
purl, err = packageurl.FromString(c.PackageURL) | ||
purl = &packageurl.PackageURL{} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like we can remove this
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it seems that no, we have to allocate memory
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated
pkg/sbom/io/encode.go
Outdated
@@ -283,6 +288,14 @@ func (e *Encoder) resultComponent(root *core.Component, r types.Result, osFound | |||
component.Type = core.TypeApplication | |||
} | |||
|
|||
// try to look for BOM-ref for this component | |||
for _, c := range e.components { | |||
if c.Name == component.Name && c.Type == component.Type { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IIRC we correctly store BomRefs for the Root
component and packages.
Do we need this check for all types? maybe we can do this check only for Application
and OperatingSystem
types?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@knqyf263 take a look, when you have time
Signed-off-by: knqyf263 <[email protected]>
Signed-off-by: knqyf263 <[email protected]>
Signed-off-by: knqyf263 <[email protected]>
I have refactored. @DmitriyLewen @afdesk Can you please take a look? |
Description
Reproduction Steps
Before:
After:
Related issues
Checklist