Add portage, ALPM, and remove APK

From the list of packages that are considered OS packages. The reason is that the APK data feed includes fix info, but not underlying metadata info, so we shouldn't prefer APK packages to ecosystem specific packages the way we do for RPMs, for example. Signed-off-by: Will Murphy <will.murphy@anchore.com>
anchore · Jul 20, 2023 · 673670e · 673670e
1 parent 385920a
commit 673670e
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 25 deletions.
diff --git a/grype/pkg/package.go b/grype/pkg/package.go
@@ -151,7 +151,7 @@ func excludePackage(p pkg.Package, parent pkg.Package) bool {
 
 func isOSPackage(p pkg.Package) bool {
 	switch p.Type {
-	case pkg.DebPkg, pkg.RpmPkg, pkg.ApkPkg:
+	case pkg.DebPkg, pkg.RpmPkg, pkg.PortagePkg, pkg.AlpmPkg:
 		return true
 	default:
 		return false

diff --git a/test/integration/compare_sbom_input_vs_lib_test.go b/test/integration/compare_sbom_input_vs_lib_test.go
@@ -72,10 +72,9 @@ func TestCompareSBOMInputToLibResults(t *testing.T) {
 	)
 	observedPkgTypes := strset.New()
 	testCases := []struct {
-		name                 string
-		image                string
-		format               sbom.FormatID
-		allowedExtraPackages []string
+		name   string
+		image  string
+		format sbom.FormatID
 	}{
 		{
 			image:  "anchore/test_images:vulnerabilities-alpine",
@@ -156,20 +155,15 @@ func TestCompareSBOMInputToLibResults(t *testing.T) {
 		},
 
 		{
-			image:                "anchore/test_images:npm",
-			format:               syft.SPDXJSONFormatID,
-			name:                 "npm-spdx-json",
-			allowedExtraPackages: []string{"GHSA-hj9c-8jmm-8c52-npm-7.17.0"}, // see note below
+			image:  "anchore/test_images:npm",
+			format: syft.SPDXJSONFormatID,
+			name:   "npm-spdx-json",
 		},
 
 		{
-			image:                "anchore/test_images:npm",
-			format:               syft.SPDXTagValueFormatID,
-			name:                 "npm-spdx-tag-value",
-			allowedExtraPackages: []string{"GHSA-hj9c-8jmm-8c52-npm-7.17.0"}, // npm itself is found
-			// both by the javascript cataloger and the APK cataloger, since it's installed
-			// as an apk package in this image. In Syft JSON, the we have enough information
-			// to prefer the APK cataloger, but in other formats, this information is lost.
+			image:  "anchore/test_images:npm",
+			format: syft.SPDXTagValueFormatID,
+			name:   "npm-spdx-tag-value",
 		},
 
 		{
@@ -256,16 +250,9 @@ func TestCompareSBOMInputToLibResults(t *testing.T) {
 			// compare packages (shallow)
 			matchSetFromSbom := getMatchSet(matchesFromSbom)
 			matchSetFromImage := getMatchSet(matchesFromImage)
-			sbomButNotDirect := strset.Difference(matchSetFromSbom, matchSetFromImage)
-			directButNotSbom := strset.Difference(matchSetFromImage, matchSetFromSbom)
-
-			for _, allowed := range tc.allowedExtraPackages {
-				sbomButNotDirect.Remove(allowed)
-				directButNotSbom.Remove(allowed)
-			}
 
-			assert.Empty(t, sbomButNotDirect.List(), "vulnerabilities present only in results when using sbom as input")
-			assert.Empty(t, directButNotSbom.List(), "vulnerabilities present only in results when using image as input")
+			assert.Empty(t, strset.Difference(matchSetFromSbom, matchSetFromImage).List(), "vulnerabilities present only in results when using sbom as input")
+			assert.Empty(t, strset.Difference(matchSetFromImage, matchSetFromSbom).List(), "vulnerabilities present only in results when using image as input")
 
 			// track all covered package types (for use after the test)
 			for _, p := range pkgsFromSbom {