From b4ed5994812b761a7865d8e9c5724087d405ca60 Mon Sep 17 00:00:00 2001 From: mikey strauss Date: Mon, 15 May 2023 16:57:21 +0300 Subject: [PATCH] fix: retain sbom cataloger relationships (#1509) Signed-off-by: Eitan Goldenstein Co-authored-by: Eitan Goldenstein --- .../internal/pkgtest/test_generic_parser.go | 1 - syft/pkg/cataloger/sbom/cataloger.go | 2 +- syft/pkg/cataloger/sbom/cataloger_test.go | 126 ++++- .../alpine/syft-json/sbom.syft.json | 528 +----------------- 4 files changed, 129 insertions(+), 528 deletions(-) diff --git a/syft/pkg/cataloger/internal/pkgtest/test_generic_parser.go b/syft/pkg/cataloger/internal/pkgtest/test_generic_parser.go index 99df368f45e..43e024673f1 100644 --- a/syft/pkg/cataloger/internal/pkgtest/test_generic_parser.go +++ b/syft/pkg/cataloger/internal/pkgtest/test_generic_parser.go @@ -247,7 +247,6 @@ func (p *CatalogTester) assertPkgs(t *testing.T, pkgs []pkg.Package, relationshi t.Errorf("unexpected packages from parsing (-expected +actual)\n%s", diff) } } - { var r diffReporter var opts []cmp.Option diff --git a/syft/pkg/cataloger/sbom/cataloger.go b/syft/pkg/cataloger/sbom/cataloger.go index 3b7f9c14bec..c66c9940ab9 100644 --- a/syft/pkg/cataloger/sbom/cataloger.go +++ b/syft/pkg/cataloger/sbom/cataloger.go @@ -41,7 +41,7 @@ func parseSBOM(_ source.FileResolver, _ *generic.Environment, reader source.Loca } var pkgs []pkg.Package - var relationships []artifact.Relationship + relationships := s.Relationships for _, p := range s.Artifacts.Packages.Sorted() { // replace all locations on the package with the location of the SBOM file. // Why not keep the original list of locations? Since the "locations" field is meant to capture diff --git a/syft/pkg/cataloger/sbom/cataloger_test.go b/syft/pkg/cataloger/sbom/cataloger_test.go index ea372d50ccc..f7459d5d560 100644 --- a/syft/pkg/cataloger/sbom/cataloger_test.go +++ b/syft/pkg/cataloger/sbom/cataloger_test.go @@ -252,7 +252,131 @@ func Test_parseSBOM(t *testing.T) { }, } - var expectedRelationships []artifact.Relationship + apkgdbLocation := source.NewLocationSet(source.Location{ + LocationData: source.LocationData{ + Coordinates: source.Coordinates{ + RealPath: "/lib/apk/db/installed", + FileSystemID: "sha256:e5e13b0c77cbb769548077189c3da2f0a764ceca06af49d8d558e759f5c232bd", + }, + }, + }) + + libSSL := pkg.Package{ + Name: "libssl1.1", + Version: "1.1.1s-r0", + Type: "apk", + Locations: apkgdbLocation, + Licenses: []string{"OpenSSL"}, + FoundBy: "apkdb-cataloger", + PURL: "pkg:apk/alpine/libssl1.1@1.1.1s-r0?arch=x86_64&upstream=openssl&distro=alpine-3.16.3", + CPEs: mustCPEs( + "cpe:2.3:a:libssl1.1:libssl1.1:1.1.1s-r0:*:*:*:*:*:*:*", + ), + } + + sslClient := pkg.Package{ + Name: "ssl_client", + Version: "1.35.0-r17", + Type: "apk", + Locations: apkgdbLocation, + Licenses: []string{"GPL-2.0-only"}, + FoundBy: "apkdb-cataloger", + PURL: "pkg:apk/alpine/ssl_client@1.35.0-r17?arch=x86_64&upstream=busybox&distro=alpine-3.16.3", + CPEs: mustCPEs( + "cpe:2.3:a:ssl-client:ssl-client:1.35.0-r17:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl-client:ssl_client:1.35.0-r17:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl_client:ssl-client:1.35.0-r17:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl_client:ssl_client:1.35.0-r17:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl:ssl-client:1.35.0-r17:*:*:*:*:*:*:*", + "cpe:2.3:a:ssl:ssl_client:1.35.0-r17:*:*:*:*:*:*:*", + ), + } + + baseLayout := pkg.Package{ + Name: "alpine-baselayout", + Version: "3.2.0-r23", + Type: "apk", + Locations: apkgdbLocation, + Licenses: []string{"GPL-2.0-only"}, + FoundBy: "apkdb-cataloger", + PURL: "pkg:apk/alpine/alpine-baselayout@3.2.0-r23?arch=x86_64&upstream=alpine-baselayout&distro=alpine-3.16.3", + CPEs: mustCPEs( + "cpe:2.3:a:alpine-baselayout:alpine-baselayout:3.2.0-r23:*:*:*:*:*:*:*", + "cpe:2.3:a:alpine-baselayout:alpine_baselayout:3.2.0-r23:*:*:*:*:*:*:*", + "cpe:2.3:a:alpine_baselayout:alpine-baselayout:3.2.0-r23:*:*:*:*:*:*:*", + "cpe:2.3:a:alpine_baselayout:alpine_baselayout:3.2.0-r23:*:*:*:*:*:*:*", + "cpe:2.3:a:alpine:alpine-baselayout:3.2.0-r23:*:*:*:*:*:*:*", + "cpe:2.3:a:alpine:alpine_baselayout:3.2.0-r23:*:*:*:*:*:*:*", + ), + } + + busybox := pkg.Package{ + Name: "busybox", + Version: "1.35.0-r17", + Type: "apk", + Locations: apkgdbLocation, + Licenses: []string{"GPL-2.0-only"}, + FoundBy: "apkdb-cataloger", + PURL: "pkg:apk/alpine/busybox@1.35.0-r17?arch=x86_64&upstream=busybox&distro=alpine-3.16.3", + CPEs: mustCPEs( + "cpe:2.3:a:busybox:busybox:1.35.0-r17:*:*:*:*:*:*:*", + ), + } + + musl := pkg.Package{ + Name: "musl", + Version: "1.2.3-r1", + Type: "apk", + Locations: apkgdbLocation, + Licenses: []string{"MIT"}, + FoundBy: "apkdb-cataloger", + PURL: "pkg:apk/alpine/musl@1.2.3-r1?arch=x86_64&upstream=musl&distro=alpine-3.16.3", + CPEs: mustCPEs( + "cpe:2.3:a:musl:musl:1.2.3-r1:*:*:*:*:*:*:*", + ), + } + + expectedRelationships := []artifact.Relationship{ + { + From: libSSL, + To: sslClient, + Type: artifact.DependencyOfRelationship, + }, + { + From: libSSL, + To: source.Coordinates{ + RealPath: "/lib/libssl.so.1.1", + FileSystemID: "sha256:e5e13b0c77cbb769548077189c3da2f0a764ceca06af49d8d558e759f5c232bd", + }, + Type: artifact.ContainsRelationship, + }, + { + From: busybox, + To: baseLayout, + Type: artifact.DependencyOfRelationship, + }, + { + From: baseLayout, + To: source.Coordinates{ + RealPath: "/etc/profile.d/color_prompt.sh.disabled", + FileSystemID: "sha256:e5e13b0c77cbb769548077189c3da2f0a764ceca06af49d8d558e759f5c232bd", + }, + Type: artifact.ContainsRelationship, + }, + { + From: baseLayout, + To: source.Coordinates{ + RealPath: "/etc/modprobe.d/kms.conf", + FileSystemID: "sha256:e5e13b0c77cbb769548077189c3da2f0a764ceca06af49d8d558e759f5c232bd", + }, + Type: artifact.ContainsRelationship, + }, + { + From: musl, + To: libSSL, + Type: artifact.DependencyOfRelationship, + }, + } for _, p := range expectedPkgs { expectedRelationships = append(expectedRelationships, artifact.Relationship{ diff --git a/syft/pkg/cataloger/sbom/test-fixtures/alpine/syft-json/sbom.syft.json b/syft/pkg/cataloger/sbom/test-fixtures/alpine/syft-json/sbom.syft.json index c9e83d12045..41d0600c00a 100644 --- a/syft/pkg/cataloger/sbom/test-fixtures/alpine/syft-json/sbom.syft.json +++ b/syft/pkg/cataloger/sbom/test-fixtures/alpine/syft-json/sbom.syft.json @@ -2020,11 +2020,6 @@ } ], "artifactRelationships": [ - { - "parent": "1455a8342bbb31ff", - "child": "42d502b764a37310", - "type": "dependency-of" - }, { "parent": "1455a8342bbb31ff", "child": "674d1e2fba4d633a", @@ -2035,71 +2030,13 @@ "child": "bf6955e2941356b2", "type": "contains" }, - { - "parent": "206fdb47b3e980eb", - "child": "716efe160a925698", - "type": "dependency-of" - }, - { - "parent": "206fdb47b3e980eb", - "child": "ae378054cbd7ef90", - "type": "contains" - }, - { - "parent": "30622a1848b22bca", - "child": "42d502b764a37310", - "type": "dependency-of" - }, - { - "parent": "30622a1848b22bca", - "child": "f2d3dfa05f2554a0", - "type": "contains" - }, - { - "parent": "42d502b764a37310", - "child": "6a92934c972808b8", - "type": "contains" - }, - { - "parent": "42d502b764a37310", - "child": "b04bc3289bb54853", - "type": "contains" - }, - { - "parent": "4b48ef6f6b983526", - "child": "231e2b9b768a1fff", - "type": "contains" - }, - { - "parent": "4b48ef6f6b983526", - "child": "51a0badf3b704202", - "type": "contains" - }, + { "parent": "4b48ef6f6b983526", "child": "61eac5ce8105d394", "type": "dependency-of" }, - { - "parent": "4b48ef6f6b983526", - "child": "78bf055cad090d65", - "type": "contains" - }, - { - "parent": "4b48ef6f6b983526", - "child": "7b5d21b40bc7eee7", - "type": "contains" - }, - { - "parent": "4b48ef6f6b983526", - "child": "91817eca9cc4b5de", - "type": "contains" - }, - { - "parent": "4b48ef6f6b983526", - "child": "a2c9b7dd9588eed5", - "type": "contains" - }, + { "parent": "61eac5ce8105d394", "child": "2a20bd42108d699a", @@ -2110,470 +2047,11 @@ "child": "3617fb189dce6482", "type": "contains" }, - { - "parent": "61eac5ce8105d394", - "child": "3b5675f91b90110", - "type": "contains" - }, - { - "parent": "61eac5ce8105d394", - "child": "6407d5cf424b18ad", - "type": "contains" - }, - { - "parent": "61eac5ce8105d394", - "child": "7e87ca025472176a", - "type": "contains" - }, - { - "parent": "61eac5ce8105d394", - "child": "84e95c181a3977e9", - "type": "contains" - }, - { - "parent": "61eac5ce8105d394", - "child": "9ce07ed49f8fb925", - "type": "contains" - }, - { - "parent": "61eac5ce8105d394", - "child": "b83f6a50a3bd4519", - "type": "contains" - }, - { - "parent": "61eac5ce8105d394", - "child": "c7d306fe1c6785c7", - "type": "contains" - }, - { - "parent": "61eac5ce8105d394", - "child": "c82217b71778b876", - "type": "contains" - }, - { - "parent": "61eac5ce8105d394", - "child": "e6b17bb11a720679", - "type": "contains" - }, + { "parent": "64efc8a629f13d02", "child": "1455a8342bbb31ff", "type": "dependency-of" - }, - { - "parent": "64efc8a629f13d02", - "child": "206fdb47b3e980eb", - "type": "dependency-of" - }, - { - "parent": "64efc8a629f13d02", - "child": "42d502b764a37310", - "type": "dependency-of" - }, - { - "parent": "64efc8a629f13d02", - "child": "42d502b764a37310", - "type": "dependency-of" - }, - { - "parent": "64efc8a629f13d02", - "child": "4b48ef6f6b983526", - "type": "dependency-of" - }, - { - "parent": "64efc8a629f13d02", - "child": "4c909bab2f47ab6", - "type": "contains" - }, - { - "parent": "64efc8a629f13d02", - "child": "61eac5ce8105d394", - "type": "dependency-of" - }, - { - "parent": "64efc8a629f13d02", - "child": "674d1e2fba4d633a", - "type": "dependency-of" - }, - { - "parent": "64efc8a629f13d02", - "child": "716efe160a925698", - "type": "dependency-of" - }, - { - "parent": "64efc8a629f13d02", - "child": "75f0d92f695b4303", - "type": "dependency-of" - }, - { - "parent": "64efc8a629f13d02", - "child": "8184c2647c8f0bf1", - "type": "dependency-of" - }, - { - "parent": "674d1e2fba4d633a", - "child": "dfa8a561b5b9eed", - "type": "contains" - }, - { - "parent": "6b7f97b22b59a2c6bc62354f00df8dcafb8a32716bc958a788a7004e0a391232", - "child": "1455a8342bbb31ff", - "type": "contains" - }, - { - "parent": "6b7f97b22b59a2c6bc62354f00df8dcafb8a32716bc958a788a7004e0a391232", - "child": "206fdb47b3e980eb", - "type": "contains" - }, - { - "parent": "6b7f97b22b59a2c6bc62354f00df8dcafb8a32716bc958a788a7004e0a391232", - "child": "2abd3b45f6fa4702", - "type": "contains" - }, - { - "parent": "6b7f97b22b59a2c6bc62354f00df8dcafb8a32716bc958a788a7004e0a391232", - "child": "30622a1848b22bca", - "type": "contains" - }, - { - "parent": "6b7f97b22b59a2c6bc62354f00df8dcafb8a32716bc958a788a7004e0a391232", - "child": "42d502b764a37310", - "type": "contains" - }, - { - "parent": "6b7f97b22b59a2c6bc62354f00df8dcafb8a32716bc958a788a7004e0a391232", - "child": "4b48ef6f6b983526", - "type": "contains" - }, - { - "parent": "6b7f97b22b59a2c6bc62354f00df8dcafb8a32716bc958a788a7004e0a391232", - "child": "61eac5ce8105d394", - "type": "contains" - }, - { - "parent": "6b7f97b22b59a2c6bc62354f00df8dcafb8a32716bc958a788a7004e0a391232", - "child": "64efc8a629f13d02", - "type": "contains" - }, - { - "parent": "6b7f97b22b59a2c6bc62354f00df8dcafb8a32716bc958a788a7004e0a391232", - "child": "674d1e2fba4d633a", - "type": "contains" - }, - { - "parent": "6b7f97b22b59a2c6bc62354f00df8dcafb8a32716bc958a788a7004e0a391232", - "child": "716efe160a925698", - "type": "contains" - }, - { - "parent": "6b7f97b22b59a2c6bc62354f00df8dcafb8a32716bc958a788a7004e0a391232", - "child": "75f0d92f695b4303", - "type": "contains" - }, - { - "parent": "6b7f97b22b59a2c6bc62354f00df8dcafb8a32716bc958a788a7004e0a391232", - "child": "8184c2647c8f0bf1", - "type": "contains" - }, - { - "parent": "6b7f97b22b59a2c6bc62354f00df8dcafb8a32716bc958a788a7004e0a391232", - "child": "82d183eb300978cc", - "type": "contains" - }, - { - "parent": "6b7f97b22b59a2c6bc62354f00df8dcafb8a32716bc958a788a7004e0a391232", - "child": "e8c6fcc3a282ed4f", - "type": "contains" - }, - { - "parent": "716efe160a925698", - "child": "1b47e047a7a2d57c", - "type": "contains" - }, - { - "parent": "716efe160a925698", - "child": "2abd3b45f6fa4702", - "type": "dependency-of" - }, - { - "parent": "716efe160a925698", - "child": "72d84b54cc507273", - "type": "contains" - }, - { - "parent": "716efe160a925698", - "child": "88f42084360d15dc", - "type": "contains" - }, - { - "parent": "716efe160a925698", - "child": "e0f2d4db60a9b798", - "type": "contains" - }, - { - "parent": "716efe160a925698", - "child": "e4f8a4c0b073c8bc", - "type": "contains" - }, - { - "parent": "75f0d92f695b4303", - "child": "42d502b764a37310", - "type": "dependency-of" - }, - { - "parent": "75f0d92f695b4303", - "child": "52dc0abd8e7f5999", - "type": "contains" - }, - { - "parent": "8184c2647c8f0bf1", - "child": "1455a8342bbb31ff", - "type": "dependency-of" - }, - { - "parent": "8184c2647c8f0bf1", - "child": "287e44a117aa6396", - "type": "contains" - }, - { - "parent": "8184c2647c8f0bf1", - "child": "2ea8f53adecae6f3", - "type": "contains" - }, - { - "parent": "8184c2647c8f0bf1", - "child": "34a945b6fcfc9394", - "type": "contains" - }, - { - "parent": "8184c2647c8f0bf1", - "child": "42d502b764a37310", - "type": "dependency-of" - }, - { - "parent": "8184c2647c8f0bf1", - "child": "461f2cb164a4d9de", - "type": "contains" - }, - { - "parent": "8184c2647c8f0bf1", - "child": "5217fc877d4a56a3", - "type": "contains" - }, - { - "parent": "8184c2647c8f0bf1", - "child": "5b247851eb9d9920", - "type": "contains" - }, - { - "parent": "8184c2647c8f0bf1", - "child": "629d9b60ae1d9e52", - "type": "contains" - }, - { - "parent": "8184c2647c8f0bf1", - "child": "674d1e2fba4d633a", - "type": "dependency-of" - }, - { - "parent": "8184c2647c8f0bf1", - "child": "7c76c319483f88f8", - "type": "contains" - }, - { - "parent": "8184c2647c8f0bf1", - "child": "80d54a8d1cb02a6b", - "type": "contains" - }, - { - "parent": "8184c2647c8f0bf1", - "child": "e90735c3db4c5cc", - "type": "contains" - }, - { - "parent": "82d183eb300978cc", - "child": "202110ab27dcf973", - "type": "contains" - }, - { - "parent": "82d183eb300978cc", - "child": "3078ae894cd9cfbd", - "type": "contains" - }, - { - "parent": "82d183eb300978cc", - "child": "387bdef96b1af6e4", - "type": "contains" - }, - { - "parent": "82d183eb300978cc", - "child": "388b915e3caf5f8b", - "type": "contains" - }, - { - "parent": "82d183eb300978cc", - "child": "3d8ddf18e3124850", - "type": "contains" - }, - { - "parent": "82d183eb300978cc", - "child": "44900ed9ce94fa9e", - "type": "contains" - }, - { - "parent": "82d183eb300978cc", - "child": "487fe69baafa2d7e", - "type": "contains" - }, - { - "parent": "82d183eb300978cc", - "child": "5353cb0dc92ea4b", - "type": "contains" - }, - { - "parent": "82d183eb300978cc", - "child": "55708c7a7e686d62", - "type": "contains" - }, - { - "parent": "82d183eb300978cc", - "child": "55e20144d113e62d", - "type": "contains" - }, - { - "parent": "82d183eb300978cc", - "child": "59a8217f4f6c22a1", - "type": "contains" - }, - { - "parent": "82d183eb300978cc", - "child": "68769d7fd3919789", - "type": "contains" - }, - { - "parent": "82d183eb300978cc", - "child": "6a0ff9781347bfd9", - "type": "contains" - }, - { - "parent": "82d183eb300978cc", - "child": "6fbe3c2a939ebbd2", - "type": "contains" - }, - { - "parent": "82d183eb300978cc", - "child": "7e6812fc46b6a77", - "type": "contains" - }, - { - "parent": "82d183eb300978cc", - "child": "983be5c7034a6165", - "type": "contains" - }, - { - "parent": "82d183eb300978cc", - "child": "a01e0e5b23c3173d", - "type": "contains" - }, - { - "parent": "82d183eb300978cc", - "child": "af97d47465df73a7", - "type": "contains" - }, - { - "parent": "82d183eb300978cc", - "child": "c4944df811809487", - "type": "contains" - }, - { - "parent": "82d183eb300978cc", - "child": "e041389ecc1c5526", - "type": "contains" - }, - { - "parent": "82d183eb300978cc", - "child": "f02ff58080ad2795", - "type": "contains" - }, - { - "parent": "82d183eb300978cc", - "child": "f7de852c28002fea", - "type": "contains" - }, - { - "parent": "e8c6fcc3a282ed4f", - "child": "33b11b3a2ec70e8f", - "type": "contains" - }, - { - "parent": "e8c6fcc3a282ed4f", - "child": "3426822570585ca6", - "type": "contains" - }, - { - "parent": "e8c6fcc3a282ed4f", - "child": "37f2712bfdc05029", - "type": "contains" - }, - { - "parent": "e8c6fcc3a282ed4f", - "child": "61eac5ce8105d394", - "type": "dependency-of" - }, - { - "parent": "e8c6fcc3a282ed4f", - "child": "65ba00203fcb00b7", - "type": "contains" - }, - { - "parent": "e8c6fcc3a282ed4f", - "child": "98d3eb523b0b443b", - "type": "contains" - }, - { - "parent": "e8c6fcc3a282ed4f", - "child": "98fd433dcbda9dd8", - "type": "contains" - }, - { - "parent": "e8c6fcc3a282ed4f", - "child": "aa75789d9e818133", - "type": "contains" - }, - { - "parent": "e8c6fcc3a282ed4f", - "child": "aebdc91357768244", - "type": "contains" - }, - { - "parent": "e8c6fcc3a282ed4f", - "child": "c7479ec33c892d37", - "type": "contains" - }, - { - "parent": "e8c6fcc3a282ed4f", - "child": "de09f2147681af25", - "type": "contains" - }, - { - "parent": "e8c6fcc3a282ed4f", - "child": "e1ce65f920562037", - "type": "contains" - }, - { - "parent": "e8c6fcc3a282ed4f", - "child": "f68970af52c912d3", - "type": "contains" - }, - { - "parent": "e8c6fcc3a282ed4f", - "child": "fc7c614fbff1fe93", - "type": "contains" - }, - { - "parent": "e8c6fcc3a282ed4f", - "child": "ff4dbb6e8f3bb698", - "type": "contains" } ], "files": [