Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: add more detail on SPDX file IDs #1769

Merged
merged 2 commits into from
May 2, 2023
Merged

chore: add more detail on SPDX file IDs #1769

merged 2 commits into from
May 2, 2023

Conversation

kzantow
Copy link
Contributor

@kzantow kzantow commented Apr 27, 2023

This PR adjusts how Syft outputs SPDX IDs for files to include some information about the file name in the ID (up to 40 characters). This helps with SPDX Tag Value stability, as the spdx/tools-golang library is re-sorting files based on the SPDX ID. The sorting is an issue because layer hashes contribute to the file hashes themselves, so rebuilding a container and re-scanning results in significantly different ordering of the files without this change. This also helps to make relationships more clear when just looking at the SPDX relationship elements, these now include File-<some-path>, e.g.:

Relationship: SPDXRef-Package-apk-scanelf-e903138d19e85b80 OTHER SPDXRef-File-lib-apk-db-installed-3f4e74b9e4beb504

@kzantow
chore: add more detail on SPDX file IDs
00aaf0a 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@kzantow
chore: update snapshots
fa9bceb 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@kzantow kzantow merged commit 6452067 into anchore:main May 2, 2023
9 checks passed
@kzantow kzantow deleted the fix/sort-unpackaged-files branch May 2, 2023 20:52
spiffcs added a commit that referenced this pull request May 4, 2023
@spiffcs
Merge branch 'main' into 1577-license-revamp
28a41b7 
* main:
  chore(docs): Update lists of catalogers (#1780)
  chore: add more detail on SPDX file IDs (#1769)
  Search /usr/share for rpmdb to fix scan on ostree-managed images (#1756)
  chore(deps): bump github.com/docker/docker (#1767)
  rename sbom.PackageCatalog to sbom.Packages (#1773)
  chore(deps): bump modernc.org/sqlite from 1.22.0 to 1.22.1 (#1768)

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@willmurphyscode willmurphyscode added the bug Something isn't working label May 5, 2023
This was referenced May 8, 2023
Closed
Merged
Closed
Merged
Closed
Closed
Closed
Closed
This was referenced May 22, 2023
Merged
Closed
Closed
Closed
GijsCalis pushed a commit to GijsCalis/syft that referenced this pull request Feb 19, 2024
@kzantow
chore: add more detail on SPDX file IDs (anchore#1769)
28ba3d1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wagoodman wagoodman wagoodman approved these changes

Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@kzantow @wagoodman @willmurphyscode