Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update package verification fields for DPKG #375

Merged
merged 4 commits into from Apr 12, 2021
Merged

Update package verification fields for DPKG #375

merged 4 commits into from Apr 12, 2021

Conversation

wagoodman
Copy link
Contributor

This PR implements the suggested improvements from #371 (comment), specifically:

  • add conffile listing to the files field, combining information from both the status file and the info/conffile
  • normalize the md5 field to digest, with subfields value and algorithm
  • updated JSON schema with DpkgMetadata changes (which is a partially breaking change)
  • discovered that the artifacts.metadata anyOf clause was being generated incorrectly, resulting in an always-passing validation --this was fixed as well.

Partially addresses #371

@wagoodman
add conffile listing to dpkg metadata + normalize digests
269832c 
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
@wagoodman
add dpkg conffile update to json schema + json test snapshots
ba3407a 
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
@wagoodman
fix DpkgMetadata.Files test to ensure it is never nil
c56690f 
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
@wagoodman wagoodman requested a review from a team April 9, 2021 12:50
@wagoodman wagoodman self-assigned this Apr 9, 2021
@github-actions
Copy link

github-actions bot commented Apr 9, 2021
edited

Benchmark Test Results

Benchmark results from the latest changes vs base branch 
name                                                   old time/op    new time/op    delta
ImagePackageCatalogers/ruby-gemspec-cataloger-2           913µs ± 3%     988µs ± 2%   +8.23%  (p=0.008 n=5+5)
ImagePackageCatalogers/python-package-cataloger-2        1.08ms ± 3%    1.18ms ± 2%   +9.74%  (p=0.008 n=5+5)
ImagePackageCatalogers/javascript-package-cataloger-2     452µs ± 3%     500µs ± 1%  +10.43%  (p=0.008 n=5+5)
ImagePackageCatalogers/dpkgdb-cataloger-2                 402µs ± 2%     489µs ± 3%  +21.63%  (p=0.008 n=5+5)
ImagePackageCatalogers/rpmdb-cataloger-2                  439µs ± 0%     514µs ± 4%  +16.98%  (p=0.008 n=5+5)
ImagePackageCatalogers/java-cataloger-2                  6.02ms ± 2%    6.54ms ± 2%   +8.66%  (p=0.008 n=5+5)
ImagePackageCatalogers/apkdb-cataloger-2                  586µs ± 2%     654µs ± 3%  +11.66%  (p=0.008 n=5+5)
ImagePackageCatalogers/go-cataloger-2                     229µs ± 3%     249µs ± 2%   +8.65%  (p=0.008 n=5+5)
ImagePackageCatalogers/rust-cataloger-2                   360µs ± 2%     398µs ± 1%  +10.49%  (p=0.008 n=5+5)

name                                                   old alloc/op   new alloc/op   delta
ImagePackageCatalogers/ruby-gemspec-cataloger-2           100kB ± 0%     100kB ± 0%     ~     (p=0.548 n=5+5)
ImagePackageCatalogers/python-package-cataloger-2         480kB ± 0%     481kB ± 0%   +0.05%  (p=0.008 n=5+5)
ImagePackageCatalogers/javascript-package-cataloger-2     109kB ± 0%     109kB ± 0%   +0.11%  (p=0.032 n=5+5)
ImagePackageCatalogers/dpkgdb-cataloger-2                 104kB ± 0%     114kB ± 0%   +9.06%  (p=0.008 n=5+5)
ImagePackageCatalogers/rpmdb-cataloger-2                  134kB ± 0%     134kB ± 0%   +0.00%  (p=0.008 n=5+5)
ImagePackageCatalogers/java-cataloger-2                  1.69MB ± 0%    1.69MB ± 0%     ~     (p=0.690 n=5+5)
ImagePackageCatalogers/apkdb-cataloger-2                 1.13MB ± 0%    1.13MB ± 0%   +0.00%  (p=0.024 n=5+5)
ImagePackageCatalogers/go-cataloger-2                    47.8kB ± 0%    47.8kB ± 0%   +0.14%  (p=0.032 n=5+5)
ImagePackageCatalogers/rust-cataloger-2                  87.3kB ± 0%    87.3kB ± 0%   -0.00%  (p=0.008 n=5+5)

name                                                   old allocs/op  new allocs/op  delta
ImagePackageCatalogers/ruby-gemspec-cataloger-2           2.16k ± 0%     2.16k ± 0%     ~     (all equal)
ImagePackageCatalogers/python-package-cataloger-2         5.47k ± 0%     5.47k ± 0%     ~     (all equal)
ImagePackageCatalogers/javascript-package-cataloger-2     1.92k ± 0%     1.92k ± 0%     ~     (all equal)
ImagePackageCatalogers/dpkgdb-cataloger-2                 2.20k ± 0%     2.37k ± 0%   +7.70%  (p=0.008 n=5+5)
ImagePackageCatalogers/rpmdb-cataloger-2                  3.18k ± 0%     3.18k ± 0%     ~     (all equal)
ImagePackageCatalogers/java-cataloger-2                   22.0k ± 0%     22.0k ± 0%     ~     (p=0.556 n=5+4)
ImagePackageCatalogers/apkdb-cataloger-2                  1.79k ± 0%     1.79k ± 0%   +0.06%  (p=0.016 n=5+4)
ImagePackageCatalogers/go-cataloger-2                     1.39k ± 0%     1.39k ± 0%     ~     (all equal)
ImagePackageCatalogers/rust-cataloger-2                   2.74k ± 0%     2.74k ± 0%     ~     (all equal)

alfredodeza
alfredodeza suggested changes Apr 9, 2021
View reviewed changes
syft/pkg/cataloger/deb/cataloger.go Show resolved Hide resolved
syft/pkg/cataloger/deb/cataloger.go Show resolved Hide resolved
syft/pkg/cataloger/deb/cataloger.go Outdated Show resolved Hide resolved
syft/pkg/cataloger/deb/cataloger.go Show resolved Hide resolved
syft/pkg/cataloger/deb/parse_dpkg_status.go
Comment on lines +71 to +74
if version != "" {
entry.SourceVersion = version
entry.Source = name
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

for my clarification only, this means that if version is empty, we don't want to capture the name?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good question --I only migrated this part of the code (already existed in this file). Looks like it was added in #297 ... maybe an oversight?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't catch that this was migrated over. No strong opinions here, just that this looked odd. If you think this shouldn't get a bit reworked that's fine. If in doubt though, I'd recommend opening up a ticket to look at this later on (no need to block this PR on this)

syft/pkg/cataloger/deb/parse_dpkg_status.go Outdated Show resolved Hide resolved
@wagoodman
clarify default collection value + fix appending conffiles location
0511972 
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
alfredodeza
alfredodeza approved these changes Apr 12, 2021
View reviewed changes
Copy link
Contributor

@alfredodeza alfredodeza left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is also good to go, I think that the dpkg source+version situation needs at least an issue.

@wagoodman wagoodman mentioned this pull request Apr 12, 2021
Open
@wagoodman
Copy link
Contributor Author

@alfredodeza created #377

@wagoodman wagoodman merged commit 66ebe49 into main Apr 12, 2021
@wagoodman wagoodman deleted the package-verification-fields-dpkg branch April 12, 2021 20:35
GijsCalis pushed a commit to GijsCalis/syft that referenced this pull request Feb 19, 2024
@wagoodman
Merge pull request anchore#375 from anchore/package-verification-fiel…
bd772d6 
…ds-dpkg

Update package verification fields for DPKG
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alfredodeza alfredodeza alfredodeza approved these changes

Assignees

@wagoodman wagoodman

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@wagoodman @alfredodeza