Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Report package DB verification metadata #371

Closed
wagoodman opened this issue Apr 6, 2021 · 3 comments · Fixed by #388
Closed

Report package DB verification metadata #371

wagoodman opened this issue Apr 6, 2021 · 3 comments · Fixed by #388
Assignees
@wagoodman
Labels
enhancement New feature or request

Comments

@wagoodman
Copy link
Contributor

wagoodman commented Apr 6, 2021
edited

Report on RPM, DPKG, and APK file manifest data for each file owned by each package found in the respective database:

  • digest
  • digest algorithm
  • mode
  • user
  • group
  • size
  • conffile listing (if available)
@wagoodman wagoodman changed the title implement file package verify in parity with: implement file package verify in parity with anchore-engine Apr 6, 2021
@wagoodman wagoodman changed the title implement file package verify in parity with anchore-engine Report package DB verification metadata Apr 6, 2021
@wagoodman wagoodman self-assigned this Apr 6, 2021
@Vijay-P Vijay-P mentioned this issue Apr 6, 2021
Closed
@wagoodman
Copy link
Contributor Author

wagoodman commented Apr 8, 2021
edited

Update for DPKG

anchore-engine today only captures: digest, digest algorithm, and indication if this is a conf file
See: https://github.com/anchore/anchore-engine/blob/v0.8.2/anchore_engine/analyzers/utils.py#L1863

This means that the following fields will be left out of the syft implementation: mode, user, group, file size

Actions:

  • pull out the conffile listing, combining information from both the status file and the info/conffile
  • today we have a md5 field. We could make this agnostic by providing a digest field with value and algorithm fields. DPKG only uses md5, but it could help consumers by being consistent.

@wagoodman
Copy link
Contributor Author

wagoodman commented Apr 8, 2021
edited

Update for APK

anchore-engine today only captures: digest, digest algorithm, mode, group, and user
See: https://github.com/anchore/anchore-engine/blob/v0.8.2/anchore_engine/analyzers/utils.py#L1975

This means that the following fields will be left out of the syft implementation: conffile, size

Actions:

  • today we have a Checksum field. We could make this agnostic by providing a digest field with value and algorithm fields. APK only uses sha1, but it could help consumers by being consistent.

@wagoodman
Copy link
Contributor Author

wagoodman commented Apr 8, 2021
edited

Update for RPM

anchore-engine today captures: digest, digest algorithm, mode, group, user, size, and indication if this is a conffile
See: https://github.com/anchore/anchore-engine/blob/v0.8.2/anchore_engine/analyzers/utils.py#L1756

Actions:

  • add user
  • add group
  • add conffile indication
  • add digest algorithm
  • today we have aSHA256 field. We could make this agnostic by providing a digest field with value and algorithm fields. This way we could help consumers by being consistent.

@wagoodman wagoodman added the enhancement New feature or request label Apr 9, 2021
This was referenced Apr 9, 2021
Merged
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wagoodman wagoodman

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Use the standard file.Digest for apk checksums anchore/syft
1 participant
@wagoodman