Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Preserve package IDs on Syft JSON SBOM decode #963

Merged
merged 1 commit into from
Apr 18, 2022

Conversation

wagoodman
Copy link
Contributor

@wagoodman wagoodman commented Apr 18, 2022

Today we derive package IDs from the contents of the package itself after cataloging packages. The same has historically applied to IDs from decoded SBOMs, where we recreate the ID from the contents of all of the package info. This PR changes this behavior, allowing the decode path to set an ID on a package, thus honoring the ID from the original SBOM document, allowing external references to still remain valid for downstream processing (e.g. in grype, so the SBOM IDs will always match the package IDs in grype output).

Implementation note: I've left the ID aliasing logic in since it does not affect the correctness of the answer and there is a change this mechanism may be useful in the future if we want this behavior to be configurable (TBD).

@github-actions
Copy link

github-actions bot commented Apr 18, 2022

Benchmark Test Results

Benchmark results from the latest changes vs base branch
name                                                       old time/op    new time/op    delta
ImagePackageCatalogers/ruby-gemspec-cataloger-2              1.47ms ± 1%    1.33ms ± 6%   -9.23%  (p=0.008 n=5+5)
ImagePackageCatalogers/python-package-cataloger-2            3.60ms ± 2%    3.32ms ± 6%   -7.75%  (p=0.008 n=5+5)
ImagePackageCatalogers/php-composer-installed-cataloger-2    1.22ms ± 2%    1.11ms ± 6%   -8.46%  (p=0.008 n=5+5)
ImagePackageCatalogers/javascript-package-cataloger-2         799µs ± 1%     748µs ± 3%   -6.50%  (p=0.008 n=5+5)
ImagePackageCatalogers/dpkgdb-cataloger-2                     948µs ± 2%     871µs ± 3%   -8.11%  (p=0.008 n=5+5)
ImagePackageCatalogers/rpmdb-cataloger-2                      851µs ± 2%     778µs ± 2%   -8.57%  (p=0.008 n=5+5)
ImagePackageCatalogers/java-cataloger-2                      16.3ms ± 3%    14.7ms ± 3%  -10.01%  (p=0.008 n=5+5)
ImagePackageCatalogers/apkdb-cataloger-2                     1.39ms ± 4%    1.26ms ± 1%   -9.29%  (p=0.008 n=5+5)
ImagePackageCatalogers/go-module-binary-cataloger-2          2.48µs ± 3%    2.30µs ± 2%   -7.56%  (p=0.008 n=5+5)

name                                                       old alloc/op   new alloc/op   delta
ImagePackageCatalogers/ruby-gemspec-cataloger-2               184kB ± 0%     184kB ± 0%     ~     (p=0.135 n=5+5)
ImagePackageCatalogers/python-package-cataloger-2             896kB ± 0%     895kB ± 0%   -0.17%  (p=0.016 n=5+5)
ImagePackageCatalogers/php-composer-installed-cataloger-2     196kB ± 0%     196kB ± 0%     ~     (p=0.056 n=5+5)
ImagePackageCatalogers/javascript-package-cataloger-2         140kB ± 0%     140kB ± 0%     ~     (p=0.460 n=5+5)
ImagePackageCatalogers/dpkgdb-cataloger-2                     175kB ± 0%     175kB ± 0%     ~     (p=0.222 n=5+5)
ImagePackageCatalogers/rpmdb-cataloger-2                      163kB ± 0%     163kB ± 0%     ~     (p=0.151 n=5+5)
ImagePackageCatalogers/java-cataloger-2                      3.30MB ± 0%    3.30MB ± 0%     ~     (p=0.548 n=5+5)
ImagePackageCatalogers/apkdb-cataloger-2                     1.24MB ± 0%    1.24MB ± 0%     ~     (p=1.000 n=5+5)
ImagePackageCatalogers/go-module-binary-cataloger-2            672B ± 0%      672B ± 0%     ~     (all equal)

name                                                       old allocs/op  new allocs/op  delta
ImagePackageCatalogers/ruby-gemspec-cataloger-2               3.66k ± 0%     3.66k ± 0%     ~     (all equal)
ImagePackageCatalogers/python-package-cataloger-2             14.8k ± 0%     14.8k ± 0%     ~     (p=0.595 n=5+5)
ImagePackageCatalogers/php-composer-installed-cataloger-2     4.94k ± 0%     4.94k ± 0%     ~     (all equal)
ImagePackageCatalogers/javascript-package-cataloger-2         2.72k ± 0%     2.72k ± 0%     ~     (all equal)
ImagePackageCatalogers/dpkgdb-cataloger-2                     3.93k ± 0%     3.93k ± 0%     ~     (all equal)
ImagePackageCatalogers/rpmdb-cataloger-2                      4.01k ± 0%     4.01k ± 0%     ~     (all equal)
ImagePackageCatalogers/java-cataloger-2                       52.2k ± 0%     52.2k ± 0%     ~     (p=0.476 n=5+5)
ImagePackageCatalogers/apkdb-cataloger-2                      4.82k ± 0%     4.81k ± 0%     ~     (p=0.333 n=4+5)
ImagePackageCatalogers/go-module-binary-cataloger-2            15.0 ± 0%      15.0 ± 0%     ~     (all equal)

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
@wagoodman wagoodman force-pushed the preserve-syft-ids-on-decode branch from 630b984 to 9abd358 Compare April 18, 2022 17:55
@wagoodman wagoodman enabled auto-merge (squash) April 18, 2022 17:58
@wagoodman wagoodman merged commit 172ecc0 into main Apr 18, 2022
@wagoodman wagoodman deleted the preserve-syft-ids-on-decode branch April 18, 2022 18:10
@wagoodman wagoodman added the enhancement New feature or request label Apr 18, 2022
@wagoodman wagoodman changed the title Preserve syft IDs on SBOM decode Preserve package IDs on Syft JSON SBOM decode Apr 18, 2022
spiffcs added a commit that referenced this pull request Apr 19, 2022
* main:
  Preserve syft IDs on SBOM decode (#963)
  Update GitHub format package_url and correlator (#961)
spiffcs added a commit that referenced this pull request May 2, 2022
* main: (31 commits)
  reduce noise of log output (#976)
  add version info and remove double config call (#977)
  Rename syft-id to package-id (#970)
  update to cyclonedx-go 0.5.2 (#971)
  refactor command package to remove globals and add dependency injection
  fix: #953 Derive language from pURL - https://github.com/anchore/syft… (#957)
  Fix typo in CPE-parsing error (#966)
  Preserve syft IDs on SBOM decode (#963)
  Update GitHub format package_url and correlator (#961)
  Ensure SPDXIDs are valid (#955)
  Auto-PR needs to run go mod tidy (#958)
  Add workflow for automatic PR for new stereoscope updates (#954)
  Minor readme update to correct format information (#948)
  Update spdx22json to only take uppercase checksum algorithm (#946)
  add additional vendors for springframework (#945)
  Add digest property to parent and nested java package metadata (#941)
  Update write permissions and log into ghcr.io for release (#942)
  Retry auth URL lookup without docker credentialhelper workaround (#939)
  Ensure that all cyclonedx components have bom-refs (#914)
  Additionally publish docker images to GHCR (#934)
  ...

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
rigzba21 pushed a commit to rigzba21/syft that referenced this pull request May 5, 2022
Signed-off-by: rigzba21 <jonathan.velando01@gmail.com>
GijsCalis pushed a commit to GijsCalis/syft that referenced this pull request Feb 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants