Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: further improvements to CPE generation for apk packages #1623

Merged
merged 19 commits into from
Feb 27, 2023
Merged

fix: further improvements to CPE generation for apk packages #1623

merged 19 commits into from
Feb 27, 2023

Conversation

westonsteimel
Copy link
Contributor

Adds many known CPE vendor candidates to APK CPE generation as well as using known project URL prefixes from APK metadata to generate known vendor candidates. Eventually we might be able to remove some of the overrides in candidate_by_packages_type.go and rely on the URL logic; however, currently apks installed from Wolfi don't include any URL info, so we will retain them for now.

@westonsteimel
fix: consider upstream logic during apk cpe gen
ec9e43b 
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
@westonsteimel
fix: correct apk CPE for go
16b04de 
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
@westonsteimel
fix: correct apk CPE for ruby
2d84ec9 
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
@westonsteimel
fix: correct apk CPE for bazel
adb6c74 
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
@westonsteimel
fix: correct apk CPE for clang
08c97a7 
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
@westonsteimel
fix: correct apk CPE for openjdk
d230254 
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
@westonsteimel
fix: correct apk CPE for glibc
93cc853 
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
@westonsteimel
fix: correct apk CPE for glib
e34b0aa 
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
@westonsteimel
fix: correct apk CPE for bash
0d8b4ba 
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
@westonsteimel
fix: correct apk CPE for alsa-lib
bdf2180 
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
@westonsteimel
fix: correct apk CPE for alsa
7a0edca 
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
@westonsteimel
fix: determine apk cpe vendor from known URLs
533a68a 
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
@westonsteimel
fix: add more url prefix->vendor mappings for apk
8387b88 
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
@westonsteimel
refactor: allow reuse of vendor by url prefix logic
17477ed 
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
@westonsteimel
more tests
b01a95e 
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
@westonsteimel
more refactoring and tests
b32ff2e 
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
@westonsteimel
more updates
ab6a031 
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
@github-actions
Copy link

github-actions bot commented Feb 24, 2023
edited
Loading

Benchmark Test Results

Benchmark results from the latest changes vs base branch 
goos: linux
goarch: amd64
pkg: github.com/anchore/syft/test/integration
cpu: Intel(R) Xeon(R) Platinum 8370C CPU @ 2.80GHz
                                                          │ ./.tmp/benchmark-d560742.txt │
                                                          │            sec/op            │
ImagePackageCatalogers/alpmdb-cataloger-2                                   11.86m ± 23%
ImagePackageCatalogers/ruby-gemspec-cataloger-2                             844.8µ ±  2%
ImagePackageCatalogers/python-package-cataloger-2                           3.044m ±  2%
ImagePackageCatalogers/php-composer-installed-cataloger-2                   648.5µ ±  1%
ImagePackageCatalogers/javascript-package-cataloger-2                       346.6µ ±  1%
ImagePackageCatalogers/dpkgdb-cataloger-2                                   463.9µ ±  1%
ImagePackageCatalogers/rpm-db-cataloger-2                                   438.1µ ±  1%
ImagePackageCatalogers/java-cataloger-2                                     10.54m ±  3%
ImagePackageCatalogers/graalvm-native-image-cataloger-2                     7.931µ ±  3%
ImagePackageCatalogers/apkdb-cataloger-2                                    790.5µ ±  1%
ImagePackageCatalogers/go-module-binary-cataloger-2                         18.11µ ±  1%
ImagePackageCatalogers/dotnet-deps-cataloger-2                              950.6µ ±  1%
ImagePackageCatalogers/portage-cataloger-2                                  287.8µ ± 10%
ImagePackageCatalogers/sbom-cataloger-2                                     102.7µ ±  0%
ImagePackageCatalogers/binary-cataloger-2                                   143.8µ ±  1%
geomean                                                                     452.1µ

                                                          │ ./.tmp/benchmark-d560742.txt │
                                                          │             B/op             │
ImagePackageCatalogers/alpmdb-cataloger-2                                   5.060Mi ± 0%
ImagePackageCatalogers/ruby-gemspec-cataloger-2                             141.9Ki ± 0%
ImagePackageCatalogers/python-package-cataloger-2                           947.2Ki ± 0%
ImagePackageCatalogers/php-composer-installed-cataloger-2                   155.9Ki ± 0%
ImagePackageCatalogers/javascript-package-cataloger-2                       95.99Ki ± 0%
ImagePackageCatalogers/dpkgdb-cataloger-2                                   144.6Ki ± 0%
ImagePackageCatalogers/rpm-db-cataloger-2                                   170.8Ki ± 0%
ImagePackageCatalogers/java-cataloger-2                                     2.725Mi ± 0%
ImagePackageCatalogers/graalvm-native-image-cataloger-2                     1.523Ki ± 0%
ImagePackageCatalogers/apkdb-cataloger-2                                    207.7Ki ± 0%
ImagePackageCatalogers/go-module-binary-cataloger-2                         3.102Ki ± 0%
ImagePackageCatalogers/dotnet-deps-cataloger-2                              314.1Ki ± 0%
ImagePackageCatalogers/portage-cataloger-2                                  75.53Ki ± 0%
ImagePackageCatalogers/sbom-cataloger-2                                     13.06Ki ± 0%
ImagePackageCatalogers/binary-cataloger-2                                   21.20Ki ± 0%
geomean                                                                     110.8Ki

                                                          │ ./.tmp/benchmark-d560742.txt │
                                                          │          allocs/op           │
ImagePackageCatalogers/alpmdb-cataloger-2                                    86.71k ± 0%
ImagePackageCatalogers/ruby-gemspec-cataloger-2                              2.159k ± 0%
ImagePackageCatalogers/python-package-cataloger-2                            15.48k ± 0%
ImagePackageCatalogers/php-composer-installed-cataloger-2                    3.457k ± 0%
ImagePackageCatalogers/javascript-package-cataloger-2                        1.253k ± 0%
ImagePackageCatalogers/dpkgdb-cataloger-2                                    2.646k ± 0%
ImagePackageCatalogers/rpm-db-cataloger-2                                    3.759k ± 0%
ImagePackageCatalogers/java-cataloger-2                                      38.26k ± 0%
ImagePackageCatalogers/graalvm-native-image-cataloger-2                       40.00 ± 0%
ImagePackageCatalogers/apkdb-cataloger-2                                     5.000k ± 0%
ImagePackageCatalogers/go-module-binary-cataloger-2                           101.0 ± 0%
ImagePackageCatalogers/dotnet-deps-cataloger-2                               5.010k ± 0%
ImagePackageCatalogers/portage-cataloger-2                                   1.487k ± 0%
ImagePackageCatalogers/sbom-cataloger-2                                       392.0 ± 0%
ImagePackageCatalogers/binary-cataloger-2                                     649.0 ± 0%
geomean                                                                      2.243k

@westonsteimel
tests for vendor from url logic
187c745 
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
@westonsteimel
feat: extract username as vendor candidate from github/gitlab
ac012d9 
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
@spiffcs spiffcs merged commit fbda21f into main Feb 27, 2023
@spiffcs spiffcs deleted the apk-cpe-gen-improvements branch February 27, 2023 18:16
@kzantow kzantow added the bug Something isn't working label Mar 2, 2023
This was referenced Mar 2, 2023
Closed
Closed
Closed
Closed
Merged
This was referenced Mar 3, 2023
Merged
Closed
Closed
Open
Open
Open
Open
Open
Open
Closed
@dependabot dependabot bot mentioned this pull request Mar 13, 2023
Closed
GijsCalis pushed a commit to GijsCalis/syft that referenced this pull request Feb 19, 2024
@westonsteimel
fix: further improvements to CPE generation for apk packages (anchore…
8d9ca26 
…#1623)

* fix: consider upstream logic during apk cpe gen
* fix: correct apk CPE for go
* fix: correct apk CPE for ruby
* fix: correct apk CPE for bazel
* fix: correct apk CPE for clang
* fix: correct apk CPE for openjdk
* fix: correct apk CPE for glibc
* fix: correct apk CPE for gli
* fix: correct apk CPE for bas
* fix: correct apk CPE for alsa-lib
* fix: correct apk CPE for alsa
* fix: determine apk cpe vendor from known URLs
* fix: add more url prefix->vendor mappings for apk
* refactor: allow reuse of vendor by url prefix logic
* feat: extract username as vendor candidate from github/gitlab

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@spiffcs spiffcs spiffcs approved these changes

Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@westonsteimel @spiffcs @kzantow