Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(bitnami): use purl to detect bitnami pkg name #6981

Closed
DmitriyLewen opened this issue Jun 21, 2024 Discussed in #6954 · 0 comments · Fixed by #6982
Closed

fix(bitnami): use purl to detect bitnami pkg name #6981

DmitriyLewen opened this issue Jun 21, 2024 Discussed in #6954 · 0 comments · Fixed by #6982
Assignees
@DmitriyLewen
Labels
scan/sbom Issues relating to SBOM scan/vulnerability Issues relating to vulnerability scanning triage/support Indicates an issue that is a support question.

Comments

@DmitriyLewen
Copy link
Contributor

Description

We use package name field instead of purl to detect package name to avoid case-insensitive issues:

trivy/pkg/sbom/io/decode.go

Lines 249 to 266 in c3192f0

// pkgName returns the package name.
// PURL loses case-sensitivity (e.g. Go, Npm, PyPI), so we have to use an original package name.
func (m *Decoder) pkgName(pkg *ftypes.Package, c *core.Component) string {
p := c.PkgIdentifier.PURL
// A name from PURL takes precedence for CocoaPods since it has subpath.
if c.PkgIdentifier.PURL.Type == packageurl.TypeCocoapods {
return pkg.Name
}
if c.Group != "" {
if p.Type == packageurl.TypeMaven || p.Type == packageurl.TypeGradle {
return c.Group + ":" + c.Name
}
return c.Group + "/" + c.Name
}
return c.Name
}

But bitnami is more focused on purl.
So After discussion we decided to use purl for bitnami packages.
See #6954 (reply in thread)

Discussed in #6954
@DmitriyLewen DmitriyLewen added triage/support Indicates an issue that is a support question. scan/vulnerability Issues relating to vulnerability scanning scan/sbom Issues relating to SBOM labels Jun 21, 2024
@DmitriyLewen DmitriyLewen self-assigned this Jun 21, 2024
@DmitriyLewen DmitriyLewen mentioned this issue Jun 21, 2024
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DmitriyLewen DmitriyLewen

Labels
scan/sbom Issues relating to SBOM scan/vulnerability Issues relating to vulnerability scanning triage/support Indicates an issue that is a support question.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(sbom): use purl for bitnami pkg names DmitriyLewen/trivy
1 participant
@DmitriyLewen