From 673670ee8bdd0832ef895c2e5093dc228a566b24 Mon Sep 17 00:00:00 2001 From: Will Murphy Date: Thu, 20 Jul 2023 10:46:18 -0400 Subject: [PATCH] Add portage, ALPM, and remove APK From the list of packages that are considered OS packages. The reason is that the APK data feed includes fix info, but not underlying metadata info, so we shouldn't prefer APK packages to ecosystem specific packages the way we do for RPMs, for example. Signed-off-by: Will Murphy --- grype/pkg/package.go | 2 +- .../compare_sbom_input_vs_lib_test.go | 35 ++++++------------- 2 files changed, 12 insertions(+), 25 deletions(-) diff --git a/grype/pkg/package.go b/grype/pkg/package.go index 779483137997..0bba0bb5df9f 100644 --- a/grype/pkg/package.go +++ b/grype/pkg/package.go @@ -151,7 +151,7 @@ func excludePackage(p pkg.Package, parent pkg.Package) bool { func isOSPackage(p pkg.Package) bool { switch p.Type { - case pkg.DebPkg, pkg.RpmPkg, pkg.ApkPkg: + case pkg.DebPkg, pkg.RpmPkg, pkg.PortagePkg, pkg.AlpmPkg: return true default: return false diff --git a/test/integration/compare_sbom_input_vs_lib_test.go b/test/integration/compare_sbom_input_vs_lib_test.go index 4a82d1013ae7..c903f48a496d 100644 --- a/test/integration/compare_sbom_input_vs_lib_test.go +++ b/test/integration/compare_sbom_input_vs_lib_test.go @@ -72,10 +72,9 @@ func TestCompareSBOMInputToLibResults(t *testing.T) { ) observedPkgTypes := strset.New() testCases := []struct { - name string - image string - format sbom.FormatID - allowedExtraPackages []string + name string + image string + format sbom.FormatID }{ { image: "anchore/test_images:vulnerabilities-alpine", @@ -156,20 +155,15 @@ func TestCompareSBOMInputToLibResults(t *testing.T) { }, { - image: "anchore/test_images:npm", - format: syft.SPDXJSONFormatID, - name: "npm-spdx-json", - allowedExtraPackages: []string{"GHSA-hj9c-8jmm-8c52-npm-7.17.0"}, // see note below + image: "anchore/test_images:npm", + format: syft.SPDXJSONFormatID, + name: "npm-spdx-json", }, { - image: "anchore/test_images:npm", - format: syft.SPDXTagValueFormatID, - name: "npm-spdx-tag-value", - allowedExtraPackages: []string{"GHSA-hj9c-8jmm-8c52-npm-7.17.0"}, // npm itself is found - // both by the javascript cataloger and the APK cataloger, since it's installed - // as an apk package in this image. In Syft JSON, the we have enough information - // to prefer the APK cataloger, but in other formats, this information is lost. + image: "anchore/test_images:npm", + format: syft.SPDXTagValueFormatID, + name: "npm-spdx-tag-value", }, { @@ -256,16 +250,9 @@ func TestCompareSBOMInputToLibResults(t *testing.T) { // compare packages (shallow) matchSetFromSbom := getMatchSet(matchesFromSbom) matchSetFromImage := getMatchSet(matchesFromImage) - sbomButNotDirect := strset.Difference(matchSetFromSbom, matchSetFromImage) - directButNotSbom := strset.Difference(matchSetFromImage, matchSetFromSbom) - - for _, allowed := range tc.allowedExtraPackages { - sbomButNotDirect.Remove(allowed) - directButNotSbom.Remove(allowed) - } - assert.Empty(t, sbomButNotDirect.List(), "vulnerabilities present only in results when using sbom as input") - assert.Empty(t, directButNotSbom.List(), "vulnerabilities present only in results when using image as input") + assert.Empty(t, strset.Difference(matchSetFromSbom, matchSetFromImage).List(), "vulnerabilities present only in results when using sbom as input") + assert.Empty(t, strset.Difference(matchSetFromImage, matchSetFromSbom).List(), "vulnerabilities present only in results when using image as input") // track all covered package types (for use after the test) for _, p := range pkgsFromSbom {