fix(sbom): use root package for unknown dependencies (if exists)
#8104
Conversation
| @@ -417,20 +417,33 @@ func (*Encoder) belongToParent(pkg ftypes.Package, parents map[string]ftypes.Pac | |||
| // All packages are included in the parent | |||
| // Case 3: Relationship: known , DependsOn: unknown (e.g., go.mod without $GOPATH) | |||
| // All packages are included in the parent | |||
| // Case 4: Relationship: unknown, DependsOn: known (e.g., OS packages) | |||
| // All packages are included in the parent even if they have parents | |||
| // Case 4: Relationship: unknown, DependsOn: known (e.g., GoBinaries, OS packages) | |||
There was a problem hiding this comment.
Given that RelationshipUnknown has been introduced now, I'm wondering if this behavior is good in the first place.
In OS packages, packages with no parent are sure to be direct dependencies, but other packages are unknown, so it may be better not to add them as direct dependencies. Then, our logic is simple: no parent packages belong to a non-package parent (OS, Application component, etc.).
This will not be a problem when applying VEX, etc., since packages with at least one parent can always be present in the dependency tree.
There was a problem hiding this comment.
BTW, I found compositions. We may want to fill in this field to represent incomplete relationships.
There was a problem hiding this comment.
hm... you solution looks logical.
if Relationship is unknown and packages has parents - most likely it is one of two options:
- this is direct package (like in out logic for dep tree)
- this is orphan package and it makes sense to add it for parent (OS/Application) component.
Also, after changes, dependencies graph looks logical:
before:
{
Ref: "3ff14136-e09f-4df9-80ea-000000000002", // OS component
Dependencies: &[]string{
"pkg:rpm/centos/acl@2.2.53-1.el8?arch=aarch64&distro=centos-8.3.2011&epoch=1",
"pkg:rpm/centos/glibc@2.28-151.el8?arch=aarch64&distro=centos-8.3.2011",
},
},
{
Ref: "pkg:rpm/centos/acl@2.2.53-1.el8?arch=aarch64&distro=centos-8.3.2011&epoch=1",
Dependencies: &[]string{
"pkg:rpm/centos/glibc@2.28-151.el8?arch=aarch64&distro=centos-8.3.2011",
},
},
after:
{
Ref: "3ff14136-e09f-4df9-80ea-000000000002",
Dependencies: &[]string{
"pkg:rpm/centos/acl@2.2.53-1.el8?arch=aarch64&distro=centos-8.3.2011&epoch=1",
},
},
{
Ref: "pkg:rpm/centos/acl@2.2.53-1.el8?arch=aarch64&distro=centos-8.3.2011&epoch=1",
Dependencies: &[]string{
"pkg:rpm/centos/glibc@2.28-151.el8?arch=aarch64&distro=centos-8.3.2011",
},
},
I updated logic in 17c3735 (tests - fbe7fd5)
BTW, I found compositions. We may want to fill in this field to represent incomplete relationships.
I'm not sure about that.
This may complicate the logic of understanding and processing cyclonedx files.
Also, we need to use different logic for CycloneDX and SPDX files.
There was a problem hiding this comment.
Yes, I agree, but it's recommended here.
It is RECOMMENDED to leverage compositions to indicate unknown dependency graphs.
And I didn't find any other ways to represent the dependency graph is incomplete.
DmitriyLewen
deleted the
fix/bom-encode-relationshops-unknown-and-root
branch
|
@aqua-bot backport release/v0.58 |
|
Backport PR created: #8156 |
Description
Use root package for
unknowndependencies (if exists)e.g. for GoBinaries (see update test).
See #8102 for more details.
Also this PR fixes problem with VEX with subcomponents:
before:
after:
Related issues
unknowndependencies are related to application component and not root component #8102Related PRs
Checklist