Skip to content

Commit

Permalink
refactor(sbom): use intermediate representation for SPDX (#6310)
Browse files Browse the repository at this point in the history
Signed-off-by: knqyf263 <knqyf263@gmail.com>
Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
  • Loading branch information
knqyf263 and DmitriyLewen authored Mar 18, 2024
1 parent 71da44f commit ab74caa
Show file tree
Hide file tree
Showing 21 changed files with 1,041 additions and 875 deletions.
39 changes: 16 additions & 23 deletions integration/testdata/conda-spdx.json.golden
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
"dataLicense": "CC0-1.0",
"SPDXID": "SPDXRef-DOCUMENT",
"name": "testdata/fixtures/repo/conda",
"documentNamespace": "http://aquasecurity.github.io/trivy/filesystem/testdata/fixtures/repo/conda-3ff14136-e09f-4df9-80ea-000000000001",
"documentNamespace": "http://aquasecurity.github.io/trivy/filesystem/testdata/fixtures/repo/conda-3ff14136-e09f-4df9-80ea-000000000004",
"creationInfo": {
"creators": [
"Organization: aquasecurity",
Expand All @@ -12,17 +12,9 @@
"created": "2021-08-25T12:20:30Z"
},
"packages": [
{
"name": "conda-pkg",
"SPDXID": "SPDXRef-Application-ee5ef1aa4ac89125",
"downloadLocation": "NONE",
"filesAnalyzed": false,
"sourceInfo": "Conda",
"primaryPackagePurpose": "APPLICATION"
},
{
"name": "openssl",
"SPDXID": "SPDXRef-Package-20b95c21bfbf9fc4",
"SPDXID": "SPDXRef-Package-b8061a5279413d55",
"versionInfo": "1.1.1q",
"supplier": "NOASSERTION",
"downloadLocation": "NONE",
Expand All @@ -39,11 +31,14 @@
"referenceLocator": "pkg:conda/openssl@1.1.1q"
}
],
"attributionTexts": [
"PkgType: conda-pkg"
],
"primaryPackagePurpose": "LIBRARY"
},
{
"name": "pip",
"SPDXID": "SPDXRef-Package-11a429ec3bd01d80",
"SPDXID": "SPDXRef-Package-84198b3828050c11",
"versionInfo": "22.2.2",
"supplier": "NOASSERTION",
"downloadLocation": "NONE",
Expand All @@ -60,6 +55,9 @@
"referenceLocator": "pkg:conda/pip@22.2.2"
}
],
"attributionTexts": [
"PkgType: conda-pkg"
],
"primaryPackagePurpose": "LIBRARY"
},
{
Expand Down Expand Up @@ -105,27 +103,22 @@
},
{
"spdxElementId": "SPDXRef-Filesystem-2e2426fd0f2580ef",
"relatedSpdxElement": "SPDXRef-Application-ee5ef1aa4ac89125",
"relatedSpdxElement": "SPDXRef-Package-84198b3828050c11",
"relationshipType": "CONTAINS"
},
{
"spdxElementId": "SPDXRef-Application-ee5ef1aa4ac89125",
"relatedSpdxElement": "SPDXRef-Package-20b95c21bfbf9fc4",
"relationshipType": "CONTAINS"
},
{
"spdxElementId": "SPDXRef-Package-20b95c21bfbf9fc4",
"relatedSpdxElement": "SPDXRef-File-600e5e0110a84891",
"spdxElementId": "SPDXRef-Filesystem-2e2426fd0f2580ef",
"relatedSpdxElement": "SPDXRef-Package-b8061a5279413d55",
"relationshipType": "CONTAINS"
},
{
"spdxElementId": "SPDXRef-Application-ee5ef1aa4ac89125",
"relatedSpdxElement": "SPDXRef-Package-11a429ec3bd01d80",
"spdxElementId": "SPDXRef-Package-84198b3828050c11",
"relatedSpdxElement": "SPDXRef-File-7eb62e2a3edddc0a",
"relationshipType": "CONTAINS"
},
{
"spdxElementId": "SPDXRef-Package-11a429ec3bd01d80",
"relatedSpdxElement": "SPDXRef-File-7eb62e2a3edddc0a",
"spdxElementId": "SPDXRef-Package-b8061a5279413d55",
"relatedSpdxElement": "SPDXRef-File-600e5e0110a84891",
"relationshipType": "CONTAINS"
}
]
Expand Down
24 changes: 12 additions & 12 deletions integration/testdata/fluentd-multiple-lockfiles.cdx.json.golden
Original file line number Diff line number Diff line change
Expand Up @@ -286,7 +286,7 @@
"bom-ref": "pkg:deb/debian/bsdutils@2.33.1-0.1?arch=amd64&distro=debian-10.2&epoch=1",
"type": "library",
"name": "bsdutils",
"version": "2.33.1-0.1",
"version": "1:2.33.1-0.1",
"licenses": [
{
"license": {
Expand Down Expand Up @@ -628,7 +628,7 @@
"bom-ref": "pkg:deb/debian/diffutils@3.7-3?arch=amd64&distro=debian-10.2&epoch=1",
"type": "library",
"name": "diffutils",
"version": "3.7-3",
"version": "1:3.7-3",
"licenses": [
{
"license": {
Expand Down Expand Up @@ -1338,7 +1338,7 @@
"bom-ref": "pkg:deb/debian/libattr1@2.4.48-4?arch=amd64&distro=debian-10.2&epoch=1",
"type": "library",
"name": "libattr1",
"version": "2.4.48-4",
"version": "1:2.4.48-4",
"licenses": [
{
"license": {
Expand Down Expand Up @@ -1396,7 +1396,7 @@
"bom-ref": "pkg:deb/debian/libaudit-common@2.8.4-3?arch=all&distro=debian-10.2&epoch=1",
"type": "library",
"name": "libaudit-common",
"version": "2.8.4-3",
"version": "1:2.8.4-3",
"licenses": [
{
"license": {
Expand Down Expand Up @@ -1454,7 +1454,7 @@
"bom-ref": "pkg:deb/debian/libaudit1@2.8.4-3?arch=amd64&distro=debian-10.2&epoch=1",
"type": "library",
"name": "libaudit1",
"version": "2.8.4-3",
"version": "1:2.8.4-3",
"licenses": [
{
"license": {
Expand Down Expand Up @@ -2091,7 +2091,7 @@
"bom-ref": "pkg:deb/debian/libgcc1@8.3.0-6?arch=amd64&distro=debian-10.2&epoch=1",
"type": "library",
"name": "libgcc1",
"version": "8.3.0-6",
"version": "1:8.3.0-6",
"purl": "pkg:deb/debian/libgcc1@8.3.0-6?arch=amd64&distro=debian-10.2&epoch=1",
"properties": [
{
Expand Down Expand Up @@ -2285,7 +2285,7 @@
"bom-ref": "pkg:deb/debian/libgmp10@6.1.2%2Bdfsg-4?arch=amd64&distro=debian-10.2&epoch=2",
"type": "library",
"name": "libgmp10",
"version": "6.1.2+dfsg-4",
"version": "2:6.1.2+dfsg-4",
"licenses": [
{
"license": {
Expand Down Expand Up @@ -3286,7 +3286,7 @@
"bom-ref": "pkg:deb/debian/libpcre3@8.39-12?arch=amd64&distro=debian-10.2&epoch=2",
"type": "library",
"name": "libpcre3",
"version": "8.39-12",
"version": "2:8.39-12",
"purl": "pkg:deb/debian/libpcre3@8.39-12?arch=amd64&distro=debian-10.2&epoch=2",
"properties": [
{
Expand Down Expand Up @@ -4450,7 +4450,7 @@
"bom-ref": "pkg:deb/debian/login@4.5-1.1?arch=amd64&distro=debian-10.2&epoch=1",
"type": "library",
"name": "login",
"version": "4.5-1.1",
"version": "1:4.5-1.1",
"licenses": [
{
"license": {
Expand Down Expand Up @@ -4742,7 +4742,7 @@
"bom-ref": "pkg:deb/debian/passwd@4.5-1.1?arch=amd64&distro=debian-10.2&epoch=1",
"type": "library",
"name": "passwd",
"version": "4.5-1.1",
"version": "1:4.5-1.1",
"licenses": [
{
"license": {
Expand Down Expand Up @@ -5338,7 +5338,7 @@
"bom-ref": "pkg:deb/debian/ruby@2.5.1?arch=amd64&distro=debian-10.2&epoch=1",
"type": "library",
"name": "ruby",
"version": "2.5.1",
"version": "1:2.5.1",
"licenses": [
{
"license": {
Expand Down Expand Up @@ -5690,7 +5690,7 @@
"bom-ref": "pkg:deb/debian/zlib1g@1.2.11.dfsg-1?arch=amd64&distro=debian-10.2&epoch=1",
"type": "library",
"name": "zlib1g",
"version": "1.2.11.dfsg-1",
"version": "1:1.2.11.dfsg-1",
"licenses": [
{
"license": {
Expand Down
24 changes: 19 additions & 5 deletions pkg/fanal/analyzer/sbom/sbom_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
Type: types.Jar,
Libraries: types.Packages{
{
ID: "co.elastic.apm:apm-agent:1.36.0",
Name: "co.elastic.apm:apm-agent",
Version: "1.36.0",
FilePath: "opt/bitnami/elasticsearch",
Expand All @@ -44,6 +45,7 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
},
},
{
ID: "co.elastic.apm:apm-agent-cached-lookup-key:1.36.0",
Name: "co.elastic.apm:apm-agent-cached-lookup-key",
Version: "1.36.0",
FilePath: "opt/bitnami/elasticsearch",
Expand All @@ -57,6 +59,7 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
},
},
{
ID: "co.elastic.apm:apm-agent-common:1.36.0",
Name: "co.elastic.apm:apm-agent-common",
Version: "1.36.0",
FilePath: "opt/bitnami/elasticsearch",
Expand All @@ -70,6 +73,7 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
},
},
{
ID: "co.elastic.apm:apm-agent-core:1.36.0",
Name: "co.elastic.apm:apm-agent-core",
Version: "1.36.0",
FilePath: "opt/bitnami/elasticsearch",
Expand All @@ -89,7 +93,8 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
FilePath: "opt/bitnami/elasticsearch",
Libraries: types.Packages{
{
Name: "elasticsearch",
ID: "Elasticsearch@8.9.1",
Name: "Elasticsearch",
Version: "8.9.1",
Arch: "arm64",
Licenses: []string{"Elastic-2.0"},
Expand Down Expand Up @@ -169,7 +174,8 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
FilePath: "opt/bitnami/postgresql",
Libraries: types.Packages{
{
Name: "gdal",
ID: "GDAL@3.7.1",
Name: "GDAL",
Version: "3.7.1",
Licenses: []string{"MIT"},
Identifier: types.PkgIdentifier{
Expand All @@ -181,7 +187,8 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
},
},
{
Name: "geos",
ID: "GEOS@3.8.3",
Name: "GEOS",
Version: "3.8.3",
Licenses: []string{"LGPL-2.1-only"},
Identifier: types.PkgIdentifier{
Expand All @@ -193,7 +200,8 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
},
},
{
Name: "postgresql",
ID: "PostgreSQL@15.3.0",
Name: "PostgreSQL",
Version: "15.3.0",
Licenses: []string{"PostgreSQL"},
Identifier: types.PkgIdentifier{
Expand All @@ -203,9 +211,15 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
Version: "15.3.0",
},
},
DependsOn: []string{
"GEOS@3.8.3",
"Proj@6.3.2",
"GDAL@3.7.1",
},
},
{
Name: "proj",
ID: "Proj@6.3.2",
Name: "Proj",
Version: "6.3.2",
Licenses: []string{"MIT"},
Identifier: types.PkgIdentifier{
Expand Down
9 changes: 3 additions & 6 deletions pkg/fanal/applier/docker.go
Original file line number Diff line number Diff line change
Expand Up @@ -263,12 +263,9 @@ func newPURL(pkgType ftypes.TargetType, metadata types.Metadata, pkg ftypes.Pack
func aggregate(detail *ftypes.ArtifactDetail) {
var apps []ftypes.Application

aggregatedApps := map[ftypes.LangType]*ftypes.Application{
ftypes.PythonPkg: {Type: ftypes.PythonPkg},
ftypes.CondaPkg: {Type: ftypes.CondaPkg},
ftypes.GemSpec: {Type: ftypes.GemSpec},
ftypes.NodePkg: {Type: ftypes.NodePkg},
ftypes.Jar: {Type: ftypes.Jar},
aggregatedApps := make(map[ftypes.LangType]*ftypes.Application)
for _, t := range ftypes.AggregatingTypes {
aggregatedApps[t] = &ftypes.Application{Type: t}
}

for _, app := range detail.Applications {
Expand Down
8 changes: 8 additions & 0 deletions pkg/fanal/types/const.go
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,14 @@ const (
OCP LangType = "ocp" // Red Hat OpenShift Container Platform
)

var AggregatingTypes = []LangType{
PythonPkg,
CondaPkg,
GemSpec,
NodePkg,
Jar,
}

// Config files
const (
JSON ConfigType = "json"
Expand Down
6 changes: 4 additions & 2 deletions pkg/k8s/scanner/scanner.go
Original file line number Diff line number Diff line change
Expand Up @@ -375,7 +375,9 @@ func (s *Scanner) clusterInfoToReportResources(allArtifact []*artifacts.Artifact
return nil, fmt.Errorf("failed to find node name")
}

kbom := core.NewBOM()
kbom := core.NewBOM(core.Options{
GenerateBOMRef: true,
})
for _, artifact := range allArtifact {
switch artifact.Kind {
case controlPlaneComponents:
Expand Down Expand Up @@ -413,7 +415,7 @@ func (s *Scanner) clusterInfoToReportResources(allArtifact []*artifacts.Artifact
}

imageComponent := &core.Component{
Type: core.TypeContainer,
Type: core.TypeContainerImage,
Name: name,
Version: cDigest,
PkgID: core.PkgID{
Expand Down
2 changes: 1 addition & 1 deletion pkg/k8s/scanner/scanner_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -155,7 +155,7 @@ func TestScanner_Scan(t *testing.T) {
},
},
{
Type: core.TypeContainer,
Type: core.TypeContainerImage,
Name: "k8s.gcr.io/kube-apiserver",
Version: "sha256:18e61c783b41758dd391ab901366ec3546b26fae00eef7e223d1f94da808e02f",
PkgID: core.PkgID{
Expand Down
2 changes: 1 addition & 1 deletion pkg/report/spdx/spdx.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ func NewWriter(output io.Writer, version string, spdxFormat types.Format) Writer
}

func (w Writer) Write(ctx context.Context, report types.Report) error {
spdxDoc, err := w.marshaler.Marshal(ctx, report)
spdxDoc, err := w.marshaler.MarshalReport(ctx, report)
if err != nil {
return xerrors.Errorf("failed to marshal spdx: %w", err)
}
Expand Down
Loading

0 comments on commit ab74caa

Please sign in to comment.