Skip to content

Commit

Permalink
feat(vex): add PURL matching for CSAF VEX (aquasecurity#5890)
Browse files Browse the repository at this point in the history
Signed-off-by: knqyf263 <knqyf263@gmail.com>
  • Loading branch information
knqyf263 authored Jan 10, 2024
1 parent 958e1f1 commit d0c81e2
Show file tree
Hide file tree
Showing 29 changed files with 1,236 additions and 1,390 deletions.
12 changes: 6 additions & 6 deletions integration/testdata/conda-spdx.json.golden
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@
},
{
"name": "openssl",
"SPDXID": "SPDXRef-Package-38e5db7a21fc70a8",
"SPDXID": "SPDXRef-Package-20b95c21bfbf9fc4",
"versionInfo": "1.1.1q",
"supplier": "NOASSERTION",
"downloadLocation": "NONE",
Expand All @@ -43,7 +43,7 @@
},
{
"name": "pip",
"SPDXID": "SPDXRef-Package-f9844c873ead5dbe",
"SPDXID": "SPDXRef-Package-11a429ec3bd01d80",
"versionInfo": "22.2.2",
"supplier": "NOASSERTION",
"downloadLocation": "NONE",
Expand Down Expand Up @@ -110,21 +110,21 @@
},
{
"spdxElementId": "SPDXRef-Application-ee5ef1aa4ac89125",
"relatedSpdxElement": "SPDXRef-Package-38e5db7a21fc70a8",
"relatedSpdxElement": "SPDXRef-Package-20b95c21bfbf9fc4",
"relationshipType": "CONTAINS"
},
{
"spdxElementId": "SPDXRef-Package-38e5db7a21fc70a8",
"spdxElementId": "SPDXRef-Package-20b95c21bfbf9fc4",
"relatedSpdxElement": "SPDXRef-File-600e5e0110a84891",
"relationshipType": "CONTAINS"
},
{
"spdxElementId": "SPDXRef-Application-ee5ef1aa4ac89125",
"relatedSpdxElement": "SPDXRef-Package-f9844c873ead5dbe",
"relatedSpdxElement": "SPDXRef-Package-11a429ec3bd01d80",
"relationshipType": "CONTAINS"
},
{
"spdxElementId": "SPDXRef-Package-f9844c873ead5dbe",
"spdxElementId": "SPDXRef-Package-11a429ec3bd01d80",
"relatedSpdxElement": "SPDXRef-File-7eb62e2a3edddc0a",
"relationshipType": "CONTAINS"
}
Expand Down
3 changes: 0 additions & 3 deletions pkg/fanal/analyzer/sbom/sbom.go
Original file line number Diff line number Diff line change
Expand Up @@ -88,9 +88,6 @@ func handleBitnamiImages(componentPath string, bom types.SBOM) {
// If the file path is empty, the file path will be set to the component dir path.
filePath := path.Join(componentPath, pkg.FilePath)
bom.Applications[i].Libraries[j].FilePath = filePath
if pkg.Identifier.PURL != nil && pkg.Identifier.PURL.FilePath != "" {
bom.Applications[i].Libraries[j].Identifier.PURL.FilePath = filePath
}
}
}
}
132 changes: 54 additions & 78 deletions pkg/fanal/analyzer/sbom/sbom_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -35,13 +35,11 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
Version: "1.36.0",
FilePath: "opt/bitnami/elasticsearch",
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeMaven,
Namespace: "co.elastic.apm",
Name: "apm-agent",
Version: "1.36.0",
},
PURL: &packageurl.PackageURL{
Type: packageurl.TypeMaven,
Namespace: "co.elastic.apm",
Name: "apm-agent",
Version: "1.36.0",
},
},
},
Expand All @@ -50,13 +48,11 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
Version: "1.36.0",
FilePath: "opt/bitnami/elasticsearch",
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeMaven,
Namespace: "co.elastic.apm",
Name: "apm-agent-cached-lookup-key",
Version: "1.36.0",
},
PURL: &packageurl.PackageURL{
Type: packageurl.TypeMaven,
Namespace: "co.elastic.apm",
Name: "apm-agent-cached-lookup-key",
Version: "1.36.0",
},
},
},
Expand All @@ -65,13 +61,11 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
Version: "1.36.0",
FilePath: "opt/bitnami/elasticsearch",
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeMaven,
Namespace: "co.elastic.apm",
Name: "apm-agent-common",
Version: "1.36.0",
},
PURL: &packageurl.PackageURL{
Type: packageurl.TypeMaven,
Namespace: "co.elastic.apm",
Name: "apm-agent-common",
Version: "1.36.0",
},
},
},
Expand All @@ -80,13 +74,11 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
Version: "1.36.0",
FilePath: "opt/bitnami/elasticsearch",
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeMaven,
Namespace: "co.elastic.apm",
Name: "apm-agent-core",
Version: "1.36.0",
},
PURL: &packageurl.PackageURL{
Type: packageurl.TypeMaven,
Namespace: "co.elastic.apm",
Name: "apm-agent-core",
Version: "1.36.0",
},
},
},
Expand All @@ -102,16 +94,14 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
Arch: "arm64",
Licenses: []string{"Elastic-2.0"},
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeBitnami,
Name: "elasticsearch",
Version: "8.9.1",
Qualifiers: packageurl.Qualifiers{
{
Key: "arch",
Value: "arm64",
},
PURL: &packageurl.PackageURL{
Type: packageurl.TypeBitnami,
Name: "elasticsearch",
Version: "8.9.1",
Qualifiers: packageurl.Qualifiers{
{
Key: "arch",
Value: "arm64",
},
},
},
Expand All @@ -137,14 +127,11 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
Name: "co.elastic.apm:apm-agent",
Version: "1.36.0",
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeMaven,
Namespace: "co.elastic.apm",
Name: "apm-agent",
Version: "1.36.0",
},
FilePath: "opt/bitnami/elasticsearch/modules/apm/elastic-apm-agent-1.36.0.jar",
PURL: &packageurl.PackageURL{
Type: packageurl.TypeMaven,
Namespace: "co.elastic.apm",
Name: "apm-agent",
Version: "1.36.0",
},
BOMRef: "pkg:maven/co.elastic.apm/apm-agent@1.36.0",
},
Expand All @@ -154,14 +141,11 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
Name: "co.elastic.apm:apm-agent-cached-lookup-key",
Version: "1.36.0",
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeMaven,
Namespace: "co.elastic.apm",
Name: "apm-agent-cached-lookup-key",
Version: "1.36.0",
},
FilePath: "opt/bitnami/elasticsearch/modules/apm/elastic-apm-agent-1.36.0.jar",
PURL: &packageurl.PackageURL{
Type: packageurl.TypeMaven,
Namespace: "co.elastic.apm",
Name: "apm-agent-cached-lookup-key",
Version: "1.36.0",
},
BOMRef: "pkg:maven/co.elastic.apm/apm-agent-cached-lookup-key@1.36.0",
},
Expand All @@ -187,12 +171,10 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
Version: "3.7.1",
Licenses: []string{"MIT"},
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeBitnami,
Name: "gdal",
Version: "3.7.1",
},
PURL: &packageurl.PackageURL{
Type: packageurl.TypeBitnami,
Name: "gdal",
Version: "3.7.1",
},
},
},
Expand All @@ -201,12 +183,10 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
Version: "3.8.3",
Licenses: []string{"LGPL-2.1-only"},
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeBitnami,
Name: "geos",
Version: "3.8.3",
},
PURL: &packageurl.PackageURL{
Type: packageurl.TypeBitnami,
Name: "geos",
Version: "3.8.3",
},
},
},
Expand All @@ -215,12 +195,10 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
Version: "15.3.0",
Licenses: []string{"PostgreSQL"},
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeBitnami,
Name: "postgresql",
Version: "15.3.0",
},
PURL: &packageurl.PackageURL{
Type: packageurl.TypeBitnami,
Name: "postgresql",
Version: "15.3.0",
},
},
},
Expand All @@ -229,12 +207,10 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
Version: "6.3.2",
Licenses: []string{"MIT"},
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeBitnami,
Name: "proj",
Version: "6.3.2",
},
PURL: &packageurl.PackageURL{
Type: packageurl.TypeBitnami,
Name: "proj",
Version: "6.3.2",
},
},
},
Expand Down
Loading

0 comments on commit d0c81e2

Please sign in to comment.