Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

When api_ver == '0.1', epoch becomes 0 regardless of its actual value #48

Open
KAWAHARA-souta opened this issue Sep 12, 2024 · 0 comments

Comments

@KAWAHARA-souta
Copy link
Contributor

When api_ver == '0.1', epoch becomes 0 regardless of its actual value.
For packages where epoch is a value other than 0, an incorrect value(=0) is set.

Reproducer

The epoch value of cups-2.3.3op2-16.el9.x86_64.rpm is '1'

$ curl -LO https://vault.almalinux.org/9.2/AppStream/x86_64/os/Packages/cups-2.3.3op2-16.el9.x86_64.rpm
$ rpm -q --qf "%{NAME} %{EPOCH}\n" -p cups-2.3.3op2-16.el9.x86_64.rpm 
cups 1

Creating an SBOM and checking the epoch value, it becomes 0.

$ sha256sum cups-2.3.3op2-16.el9.x86_64.rpm                                                           
5c0c2090a37ec20653c60264df156ee0d7a704dc560f4ecd23dc4c22b2679a9c  cups-2.3.3op2-16.el9.x86_64.rpm
$ python alma_sbom.py --rpm-package-hash 5c0c2090a37ec20653c60264df156ee0d7a704dc560f4ecd23dc4c22b2679
a9c --file-format spdx-json --output-file cups-2.3.3op2-16.el9.x86_64.spdx.json
$ grep -B4 -A1 "epoch" cups-2.3.3op2-16.el9.x86_64.spdx.json 
                {
                    "annotationDate": "2024-09-12T14:03:22Z",
                    "annotationType": "OTHER",
                    "annotator": "Tool: alma-sbom 0.0.2",
                    "comment": "almalinux:package:epoch=0"
                },

Overview of this issue

When api_ver == '0.1', split_name_of_package_by_nevra is used to attempt to split the package name and obtain the NEVRA of the package.

https://github.com/AlmaLinux/alma-sbom/blob/main/alma_sbom.py#L143-L155

    if api_ver == '0.1':
        package_name = immudb_info_about_package['Name']
        package_nevra = split_name_of_package_by_nevra(package_name)
        source_rpm = None
    else:
        package_nevra = PackageNevra(
            name=immudb_metadata['name'],
            epoch=immudb_metadata['epoch'],
            version=immudb_metadata['version'],
            release=immudb_metadata['release'],
            arch=immudb_metadata['arch'],
        )
        source_rpm = immudb_metadata['sourcerpm']

However, the package names handled by alma-sbom do not include the epoch, and split_name_of_package_by_nevra does not retrieve the epoch either.

https://github.com/AlmaLinux/alma-sbom/blob/main/alma_sbom.py#L98C1-L108C25

def split_name_of_package_by_nevra(package_name: str) -> PackageNevra:
    package_nevra = PackageNevra()

    split_by_dot = package_name.replace('.rpm', '')[::-1].split('.', 1)
    package_nevra.arch = split_by_dot[0][::-1]
    split_by_hyphen = split_by_dot[1].split('-', 2)
    package_nevra.release = split_by_hyphen[0][::-1]
    package_nevra.version = split_by_hyphen[1][::-1]
    package_nevra.name = split_by_hyphen[2][::-1]

    return package_nevra

In the constructor of the PackageNevra class, epoch is set to None, and when epoch is None, it is interpreted as equivalent to 0. Therefore, when api_ver == '0.1', epoch always becomes 0.

https://github.com/AlmaLinux/alma-sbom/blob/main/alma_sbom.py#L26-L31

@dataclasses.dataclass
class PackageNevra:
    name: str = None
    epoch: str = None
    version: str = None
    release: str = None
    arch: str = None

I think it would be good to remove the epoch and adopt NVRA when api_ver == '0.1'.
I'm thinking of addressing this while also considering the data structure of the sbom class.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant