Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add compliance policy for empty name and version #3257

Merged
merged 3 commits into from
Sep 20, 2024
Merged

Add compliance policy for empty name and version #3257

merged 3 commits into from
Sep 20, 2024

Conversation

wagoodman
Copy link
Contributor

@wagoodman wagoodman commented Sep 19, 2024
edited
Loading

Adds a new compliance configuration to handle what to do when there is a missing name or version:

compliance:
  # action to take when a package is missing a name (env: SYFT_COMPLIANCE_MISSING_NAME)
  missing-name: 'drop'
  
  # action to take when a package is missing a version (env: SYFT_COMPLIANCE_MISSING_VERSION)
  missing-version: 'stub'

Above are the default values, but the possible values a user can put in are:

  • keep, add a trace log but the non-compliant package is still added to the SBOM
  • drop, exclude the package from results, add a debug log
  • stub, replace the non-compliant empty value with UNKNOWN

Open questions:

  1. configuration-wise should this land within the pkgcataloging package? (instead of the cataloging package?)

Closes #2132
Closes #2652
Closes #2038
Closes #2039

@wagoodman
add policy for empty name and version
ee8d796 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
@kzantow
Copy link
Contributor

kzantow commented Sep 19, 2024

One observation: once the known-unknowns lands perhaps some of these options would go away / change? E.g. a user could surface something in the files section with something like:

/package.json
  unknowns: dropped package due to missing name

@wagoodman

This comment was marked as outdated.

Sign in to view
@wagoodman
default stub version
4f0132a 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
@wagoodman wagoodman mentioned this pull request Sep 19, 2024
Open
@wagoodman
modifying ids requires augmenting relationships
9d281d1 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
@wagoodman wagoodman marked this pull request as ready for review September 19, 2024 20:54
@spiffcs
Copy link
Contributor

spiffcs commented Sep 20, 2024

I think the config placement and package organization is correct here from and API standpoint so 🟢 from me. Was there any other discussion you wanted @wagoodman on this PR?

@wagoodman wagoodman added the enhancement New feature or request label Sep 20, 2024
@wagoodman wagoodman merged commit 963ea59 into main Sep 20, 2024
12 checks passed
@wagoodman wagoodman deleted the empty-name-version branch September 20, 2024 16:50
@BrewTestBot BrewTestBot mentioned this pull request Sep 24, 2024
Merged
luhring added a commit to wolfi-dev/wolfictl that referenced this pull request Sep 25, 2024
@luhring
update golden files
2cc08c0 
Looks like just "UNKNOWN" being added to existing packages, likely from anchore/syft#3257.

Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
@willmurphyscode willmurphyscode mentioned this pull request Sep 30, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@spiffcs spiffcs spiffcs approved these changes

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
3 participants
@wagoodman @kzantow @spiffcs