Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add vendor + product known good CPE field values #517

Merged
merged 6 commits into from Sep 27, 2021
Merged

Add vendor + product known good CPE field values #517

merged 6 commits into from Sep 27, 2021

Conversation

wagoodman
Copy link
Contributor

This PR at a minimum adds vendor + product CPE field generation cases found in docker.io/kaazing-gateway:latest, docker.io/cassandra:latest, and docker.io/nuxeo:latest.

Additionally this PR:

  • refactors the mechanism used to specify and find CPE field additions for vendor and product
  • removes OSGI directives from Java group ID fields
  • removes double quotes from any CPE field generated

wagoodman and others added 6 commits September 27, 2021 15:54
@wagoodman
[wip] add better infrastructure around CPE candidate additions
4badfa0 
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
@wagoodman
add test cases for CPE candidate additions
e84d5b9 
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
@spiffcs
small ergonomic updates
65b898a 
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
@wagoodman
clean java OSGI directives from group ID
1672759 
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
@wagoodman
unquote CPE candidate field values (double quotes only)
359d5e6 
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
@wagoodman
add remaining CPE vendor & product additions (+ tests)
433ff54 
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
@wagoodman wagoodman added the bug Something isn't working label Sep 27, 2021
@wagoodman wagoodman requested a review from a team September 27, 2021 22:26
@github-actions
Copy link

Benchmark Test Results

Benchmark results from the latest changes vs base branch 
name                                                   old time/op    new time/op    delta
ImagePackageCatalogers/ruby-gemspec-cataloger-2          1.03ms ± 2%    0.85ms ± 2%  -18.09%  (p=0.008 n=5+5)
ImagePackageCatalogers/python-package-cataloger-2        1.67ms ± 5%    1.35ms ± 7%  -18.81%  (p=0.008 n=5+5)
ImagePackageCatalogers/javascript-package-cataloger-2     520µs ± 3%     410µs ± 2%  -21.27%  (p=0.008 n=5+5)
ImagePackageCatalogers/dpkgdb-cataloger-2                 527µs ± 5%     403µs ± 1%  -23.65%  (p=0.008 n=5+5)
ImagePackageCatalogers/rpmdb-cataloger-2                  553µs ± 3%     422µs ± 6%  -23.71%  (p=0.008 n=5+5)
ImagePackageCatalogers/java-cataloger-2                  10.9ms ± 2%     8.9ms ± 3%  -18.10%  (p=0.008 n=5+5)
ImagePackageCatalogers/apkdb-cataloger-2                  821µs ± 3%     709µs ± 2%  -13.61%  (p=0.008 n=5+5)
ImagePackageCatalogers/go-cataloger-2                     273µs ± 1%     209µs ± 2%  -23.47%  (p=0.008 n=5+5)
ImagePackageCatalogers/rust-cataloger-2                   459µs ± 2%     370µs ± 2%  -19.44%  (p=0.008 n=5+5)

name                                                   old alloc/op   new alloc/op   delta
ImagePackageCatalogers/ruby-gemspec-cataloger-2           143kB ± 0%     145kB ± 0%   +0.81%  (p=0.008 n=5+5)
ImagePackageCatalogers/python-package-cataloger-2         715kB ± 0%     717kB ± 0%   +0.31%  (p=0.008 n=5+5)
ImagePackageCatalogers/javascript-package-cataloger-2     118kB ± 0%     118kB ± 0%   -0.17%  (p=0.008 n=5+5)
ImagePackageCatalogers/dpkgdb-cataloger-2                 132kB ± 0%     132kB ± 0%   -0.21%  (p=0.008 n=5+5)
ImagePackageCatalogers/rpmdb-cataloger-2                  140kB ± 0%     140kB ± 0%   +0.01%  (p=0.016 n=5+4)
ImagePackageCatalogers/java-cataloger-2                  2.70MB ± 0%    2.70MB ± 0%     ~     (p=0.841 n=5+5)
ImagePackageCatalogers/apkdb-cataloger-2                 1.17MB ± 0%    1.17MB ± 0%   +0.05%  (p=0.008 n=5+5)
ImagePackageCatalogers/go-cataloger-2                    55.0kB ± 0%    55.0kB ± 0%     ~     (p=1.000 n=5+5)
ImagePackageCatalogers/rust-cataloger-2                   121kB ± 0%     121kB ± 0%   +0.27%  (p=0.008 n=5+5)

name                                                   old allocs/op  new allocs/op  delta
ImagePackageCatalogers/ruby-gemspec-cataloger-2           2.33k ± 0%     2.34k ± 0%   +0.60%  (p=0.008 n=5+5)
ImagePackageCatalogers/python-package-cataloger-2         8.11k ± 0%     8.14k ± 0%   +0.35%  (p=0.016 n=4+5)
ImagePackageCatalogers/javascript-package-cataloger-2     1.99k ± 0%     1.99k ± 0%   +0.15%  (p=0.008 n=5+5)
ImagePackageCatalogers/dpkgdb-cataloger-2                 2.53k ± 0%     2.54k ± 0%   +0.12%  (p=0.008 n=5+5)
ImagePackageCatalogers/rpmdb-cataloger-2                  3.24k ± 0%     3.25k ± 0%   +0.03%  (p=0.008 n=5+5)
ImagePackageCatalogers/java-cataloger-2                   36.1k ± 0%     36.1k ± 0%   +0.10%  (p=0.008 n=5+5)
ImagePackageCatalogers/apkdb-cataloger-2                  2.27k ± 0%     2.28k ± 0%   +0.44%  (p=0.016 n=4+5)
ImagePackageCatalogers/go-cataloger-2                     1.46k ± 0%     1.46k ± 0%   +0.07%  (p=0.008 n=5+5)
ImagePackageCatalogers/rust-cataloger-2                   3.09k ± 0%     3.10k ± 0%   +0.23%  (p=0.008 n=5+5)

@spiffcs spiffcs merged commit 0395c47 into main Sep 27, 2021
@spiffcs spiffcs deleted the cpe-additions-infra branch September 27, 2021 22:32
spiffcs added a commit that referenced this pull request Sep 30, 2021
@spiffcs
Merge branch 'main' into 460-debian-license-upgrade
0095f69 
* main:
  Add vendor + product known good CPE field values (#517)
  Add SBOM to releases (#500)
  Add announcement for KubeCon meetup (#515)
  Prevent invalid CPE field values (#514)
  Filter out CPE product candidates that are asterisks (#513)
  Use Anchore fork of packageurl lib without replace directive (#512)
  update log file permissions to 0644 (#511)

Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
GijsCalis pushed a commit to GijsCalis/syft that referenced this pull request Feb 19, 2024
@wagoodman @spiffcs
Add vendor + product known good CPE field values (anchore#517)
a185b5a 
* add better infrastructure around CPE candidate additions

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add test cases for CPE candidate additions

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* small ergonomic updates

Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>

* clean java OSGI directives from group ID

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* unquote CPE candidate field values (double quotes only)

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add remaining CPE vendor & product additions (+ tests)

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

Co-authored-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@spiffcs spiffcs spiffcs approved these changes

Assignees

@wagoodman wagoodman

@spiffcs spiffcs

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@wagoodman @spiffcs