Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(sbom,scan): binary package filtering #945

Merged
merged 1 commit into from
Jun 6, 2024
Merged

fix(sbom,scan): binary package filtering #945

merged 1 commit into from
Jun 6, 2024

Conversation

luhring
Copy link
Contributor

@luhring luhring commented Jun 6, 2024

Fixes #355

This provides better parity with actual Syft and Grype scans, since "binary" packages owned by the APK package are removed when the ExcludeBinaryPackagesWithFileOwnershipOverlap option is enabled.

cc: @hectorj2f @cpanato

Re: tests: We'll add integration tests to verify this behavior in another PR that conveniently I'm working on at the moment!

This updates the behavior for both SBOM generation and vulnerability scanning:

wolfictl sbom

Before

go run . sbom --disable-sbom-cache ./packages/x86_64/openssl-3.3.0-r9.apk
🔎 Scanning "./packages/x86_64/openssl-3.3.0-r9.apk"
├── 📄 /.PKGINFO
│       📦 openssl 3.3.0-r9 (apk)

└── 📄 /usr/bin/openssl
        📦 openssl 3.3.0 (binary)

After

$ go run . sbom --disable-sbom-cache ./packages/x86_64/openssl-3.3.0-r9.apk    
🔎 Scanning "./packages/x86_64/openssl-3.3.0-r9.apk"
└── 📄 /.PKGINFO
        📦 openssl 3.3.0-r9 (apk)

wolfictl scan

Before

$ go run . scan -r openssl --disable-sbom-cache
📡 Finding remote packages
🔎 Scanning "/var/folders/pz/h07rtjmd4mv4wpnr5st5q1480000gn/T/x86_64-openssl-3.3.0-r9-846198202.apk"
└── 📄 /usr/bin/openssl
        📦 openssl 3.3.0 (binary)
            Unknown CVE-2024-4603
 
🔎 Scanning "/var/folders/pz/h07rtjmd4mv4wpnr5st5q1480000gn/T/aarch64-openssl-3.3.0-r9-2055496375.apk"
└── 📄 /usr/bin/openssl
        📦 openssl 3.3.0 (binary)
            Unknown CVE-2024-4603

After

$  go run . scan -r openssl --disable-sbom-cache                            
📡 Finding remote packages
🔎 Scanning "/var/folders/pz/h07rtjmd4mv4wpnr5st5q1480000gn/T/x86_64-openssl-3.3.0-r9-3675836449.apk"
✅ No vulnerabilities found
🔎 Scanning "/var/folders/pz/h07rtjmd4mv4wpnr5st5q1480000gn/T/aarch64-openssl-3.3.0-r9-117921744.apk"
✅ No vulnerabilities found

@luhring
fix(sbom,scan): binary package filtering
fb79d09 
This provides better parity with actual Syft and Grype scans, since binary packages owned by the APK package are removed.

Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
@luhring luhring mentioned this pull request Jun 6, 2024
Merged
hectorj2f
hectorj2f reviewed Jun 6, 2024
View reviewed changes
pkg/sbom/sbom.go
@@ -107,6 +112,20 @@ func Generate(ctx context.Context, inputFilePath string, f io.Reader, distroID s
packageCollection := createdSBOM.Artifacts.Packages
packageCollection.Add(*apkPackage)

if cfg.Relationships.ExcludeBinaryPackagesWithFileOwnershipOverlap {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've found a bit more context of this flag in here: anchore/syft#931. If anyone is reviewing this PR.

hectorj2f
hectorj2f approved these changes Jun 6, 2024
View reviewed changes
Copy link
Contributor

@hectorj2f hectorj2f left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, looking forward to review these tests.

@luhring luhring merged commit a106551 into wolfi-dev:main Jun 6, 2024
3 checks passed
@luhring luhring deleted the filter-binary-pkgs branch June 6, 2024 20:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hectorj2f hectorj2f hectorj2f approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

sbom/scan commands: synthesized apk package should include file data
2 participants
@luhring @hectorj2f