-
Notifications
You must be signed in to change notification settings - Fork 588
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Preserve package IDs on Syft JSON SBOM decode #963
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kzantow
approved these changes
Apr 18, 2022
Benchmark Test ResultsBenchmark results from the latest changes vs base branch
|
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
wagoodman
force-pushed
the
preserve-syft-ids-on-decode
branch
from
April 18, 2022 17:55
630b984
to
9abd358
Compare
wagoodman
changed the title
Preserve syft IDs on SBOM decode
Preserve package IDs on Syft JSON SBOM decode
Apr 18, 2022
spiffcs
added a commit
that referenced
this pull request
May 2, 2022
* main: (31 commits) reduce noise of log output (#976) add version info and remove double config call (#977) Rename syft-id to package-id (#970) update to cyclonedx-go 0.5.2 (#971) refactor command package to remove globals and add dependency injection fix: #953 Derive language from pURL - https://github.com/anchore/syft… (#957) Fix typo in CPE-parsing error (#966) Preserve syft IDs on SBOM decode (#963) Update GitHub format package_url and correlator (#961) Ensure SPDXIDs are valid (#955) Auto-PR needs to run go mod tidy (#958) Add workflow for automatic PR for new stereoscope updates (#954) Minor readme update to correct format information (#948) Update spdx22json to only take uppercase checksum algorithm (#946) add additional vendors for springframework (#945) Add digest property to parent and nested java package metadata (#941) Update write permissions and log into ghcr.io for release (#942) Retry auth URL lookup without docker credentialhelper workaround (#939) Ensure that all cyclonedx components have bom-refs (#914) Additionally publish docker images to GHCR (#934) ... Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
rigzba21
pushed a commit
to rigzba21/syft
that referenced
this pull request
May 5, 2022
Signed-off-by: rigzba21 <jonathan.velando01@gmail.com>
GijsCalis
pushed a commit
to GijsCalis/syft
that referenced
this pull request
Feb 19, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Today we derive package IDs from the contents of the package itself after cataloging packages. The same has historically applied to IDs from decoded SBOMs, where we recreate the ID from the contents of all of the package info. This PR changes this behavior, allowing the decode path to set an ID on a package, thus honoring the ID from the original SBOM document, allowing external references to still remain valid for downstream processing (e.g. in grype, so the SBOM IDs will always match the package IDs in grype output).
Implementation note: I've left the ID aliasing logic in since it does not affect the correctness of the answer and there is a change this mechanism may be useful in the future if we want this behavior to be configurable (TBD).