Is it possible to get the source package name (and source version) in the report? #1083
Comments
|
@rnjudge what do you think? |
|
I think this is technically possible for a some package managers but not all. For example, i don't think python packages have the concept of a "source" package vs binary like rpm or deb packages do. I do worry about the clutter in the default table with another column for source package. I wonder if this is a command line flag we could include? @nishakm thoughts? |
|
@rnjudge a long time ago, tern included some ability to retrieve corresponding sources, particularly for debian packages as it was the easiest one to implement. This is different from "source package name" though. I agree with the cluttering of the default table. We may want to direct folks looking for more information to the JSON or HTML report format. @sameer1046 can you provide an example of "source package name"? |
|
I think what he means by source package name is in reference to rpm or deb packages where there's one source package that contains the source code which builds/produces the associated binary packages (the source package is not typically installed). For example, the systemd source package produces |
|
@rnjudge Exactly. in linux/debian/rpm package have one source and from that source different binary packages were built. It would be great if it will be available in cyclonedx format |
|
Thanks for the explanation and clarification! I suppose this is possible for deb and rpm. I am more familiar with deb than rpm so I'll work through what is needed to implement that:
I think it's possible to add this for the distros that support it. It requires adding a new property in |
|
As a colleague of @sameer1046 at Siemens, I'm involved into license scanning topics since a couple of years, so some additional bits:
|
|
I think the question we are grappling with right now is whether "source package name" should be included in our summary report. It's already becoming less summarizing ;). @sameer1046 @gernot-h if you are OK using a combination of tern's JSON format and jq, this is totally doable. |
For the Siemens use-case, we just need this information in any machine-readable format, so JSON sounds perfect! :) |
|
I would suggest to produce a cyclone dx bom in source package format by setting a flag in the command line. |
We might need @coderpatros's help with this one after we add source package info to the data model as he is the CycloneDX format wizard :) |
|
Hi @Ranjit-Kumar-Nayak -- thanks for your interest! If you have good ways/can come up with a way to list source packages installed on a system using dpkg or rpm package managers (or in a bash script) that would be a good starting point! Bonus points if you can find the source given it's binary package name. |
|
@sameer1046 @gernot-h may I ask which vulnerability scanner you are using that requires sources? |
Sorry, @nishakm, for coming back to this so late. I'm not exactly sure what the environment is here (I don't know how tern works internally), but in case you are running on the system with the packages in question, you don't need additional apt sources. All you need is already known by dpkg once your package is installed, a simple will show you the source information for an installed package. The procedure you described might however make perfect sense if you want to run it in a distinct environment where the package you analyze is not installed. By the way, there's an important thing to note: the source version might also differ from the binary version in rare cases. So you should also query for it and add it to the BOM. |
Sure. :) This is not about security scanning, but about license clearing (legal compliance task...). We use (and maintain ;) ) https://github.com/fossology/ for this. |
Thank you!! This is super helpful. Do you have the command to do this using RPM handy?
|
|
@sameer1046, could you please update the issue title and initial description to also include "source version", so for example "get the source package name (and source version) in the report". I put this in brackets as I'm unsure if this is relevant for other distributions than Debian and Ubuntu, though. |
This should be And, on my OpenSUSE system, source version can also differ from binary version in rare cases, so this seems to be a common concept: |
sameer1046
changed the title
|
Thanks again @gernot-h. I think we can get this feature merged and data available in the JSON report before our next release (planned for next week). |
This commit adds source package name and source package version information to the Package object data model. Tern currently reports binary package metadata in its reports. Source packages exist in operating systems like Debian and RedHat and differ from binary packages. Source packages provide all of the necessary files to compile or build a desired piece of software. Binary packages are what get produced as a result of building a source package and are what typically gets installed in an environment. Binary packages can have different names and/or versions as their source package. Source packages are relevant in the context of security scanning as most CVEs are reported by source package name and version. Works towards tern-tools#1083 Signed-off-by: Rose Judge <rjudge@vmware.com>
This commit adds scripts in base.yml to collect source package names and versions for deb and rpm package managers. Resolves tern-tools#1083 Signed-off-by: Rose Judge <rjudge@vmware.com>
This commit adds scripts in base.yml to collect source package names and versions for dpkg and rpm package managers. Resolves tern-tools#1083 Signed-off-by: Rose Judge <rjudge@vmware.com>
This commit adds scripts in base.yml to collect source package names and versions for dpkg and rpm package managers. Resolves tern-tools#1083 Signed-off-by: Rose Judge <rjudge@vmware.com>
This PR adds source package name and source package version information to the Package object data model. It also adds scripts in base.yml for rpm and dpkg package managers to collect source package names and versions. Tern currently reports binary package metadata in its reports. Source packages exist in operating systems like Debian and RedHat and differ from binary packages. Source packages provide all of the necessary files to compile or build a desired piece of software. Binary packages are what get produced as a result of building a source package and are what typically gets installed in an environment. Binary packages can have different names and/or versions as their source package. Source packages are relevant in the context of security scanning as most CVEs are reported by source package name and version. Resolves #1083 Signed-off-by: Rose Judge <rjudge@vmware.com>
Currently tern reports the binary package info of the Debian packages. It would be great if tern can provide the source package information in the report so that it would be easy to feed the report directly on license scanning tools.
The text was updated successfully, but these errors were encountered: