Skip to content

Commit

Permalink
fix(sbom): duplicate dependson (#3261)
Browse files Browse the repository at this point in the history
  • Loading branch information
masahiro331 authored Dec 4, 2022
1 parent fa2e3ac commit cbba6d1
Show file tree
Hide file tree
Showing 2 changed files with 54 additions and 4 deletions.
7 changes: 3 additions & 4 deletions pkg/sbom/cyclonedx/marshal.go
Original file line number Diff line number Diff line change
Expand Up @@ -205,6 +205,7 @@ func (e *Marshaler) marshalComponents(r types.Report, bomRef string) (*[]cdx.Com
pkgID := packageID(result.Target, pkg.Name, utils.FormatVersion(pkg), pkg.FilePath)
if _, ok := bomRefMap[pkgID]; !ok {
bomRefMap[pkgID] = pkgComponent.BOMRef
componentDependencies = append(componentDependencies, cdx.Dependency{Ref: pkgComponent.BOMRef})
}

// When multiple lock files have the same dependency with the same name and version,
Expand All @@ -227,8 +228,6 @@ func (e *Marshaler) marshalComponents(r types.Report, bomRef string) (*[]cdx.Com
// TODO: All packages are flattened at the moment. We should construct dependency tree.
components = append(components, pkgComponent)
}

componentDependencies = append(componentDependencies, cdx.Dependency{Ref: pkgComponent.BOMRef})
}

for _, vuln := range result.Vulnerabilities {
Expand All @@ -247,8 +246,8 @@ func (e *Marshaler) marshalComponents(r types.Report, bomRef string) (*[]cdx.Com
}
}

if result.Type == ftypes.NodePkg || result.Type == ftypes.PythonPkg || result.Type == ftypes.GoBinary ||
result.Type == ftypes.GemSpec || result.Type == ftypes.Jar || result.Type == ftypes.RustBinary {
if result.Type == ftypes.NodePkg || result.Type == ftypes.PythonPkg ||
result.Type == ftypes.GemSpec || result.Type == ftypes.Jar {
// If a package is language-specific package that isn't associated with a lock file,
// it will be a dependency of a component under "metadata".
// e.g.
Expand Down
51 changes: 51 additions & 0 deletions pkg/sbom/cyclonedx/marshal_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -153,6 +153,17 @@ func TestMarshaler_Marshal(t *testing.T) {
},
},
},
{
Target: "usr/local/bin/tfsec",
Class: types.ClassLangPkg,
Type: ftypes.GoBinary,
Packages: []ftypes.Package{
{
Name: "golang.org/x/crypto",
Version: "v0.0.0-20210421170649-83a5a9bb288b",
},
},
},
},
},
want: &cdx.BOM{
Expand Down Expand Up @@ -335,6 +346,35 @@ func TestMarshaler_Marshal(t *testing.T) {
},
},
},
{
BOMRef: "pkg:golang/golang.org/x/crypto@v0.0.0-20210421170649-83a5a9bb288b",
Type: cdx.ComponentTypeLibrary,
Name: "golang.org/x/crypto",
Version: "v0.0.0-20210421170649-83a5a9bb288b",
PackageURL: "pkg:golang/golang.org/x/crypto@v0.0.0-20210421170649-83a5a9bb288b",
Properties: &[]cdx.Property{
{
Name: "aquasecurity:trivy:PkgType",
Value: "gobinary",
},
},
},
{
BOMRef: "3ff14136-e09f-4df9-80ea-000000000006",
Type: cdx.ComponentTypeApplication,
Name: "usr/local/bin/tfsec",
Version: "",
Properties: &[]cdx.Property{
{
Name: "aquasecurity:trivy:Type",
Value: "gobinary",
},
{
Name: "aquasecurity:trivy:Class",
Value: "lang-pkgs",
},
},
},
},
Dependencies: &[]cdx.Dependency{
{
Expand Down Expand Up @@ -372,6 +412,14 @@ func TestMarshaler_Marshal(t *testing.T) {
},
},
},
{
Ref: "3ff14136-e09f-4df9-80ea-000000000006",
Dependencies: &[]cdx.Dependency{
{
Ref: "pkg:golang/golang.org/x/crypto@v0.0.0-20210421170649-83a5a9bb288b",
},
},
},
{
Ref: "pkg:oci/rails@sha256:a27fd8080b517143cbbbab9dfb7c8571c40d67d534bbdee55bd6c473f432b177?repository_url=index.docker.io%2Flibrary%2Frails&arch=arm64",
Dependencies: &[]cdx.Dependency{
Expand All @@ -387,6 +435,9 @@ func TestMarshaler_Marshal(t *testing.T) {
{
Ref: "3ff14136-e09f-4df9-80ea-000000000005",
},
{
Ref: "3ff14136-e09f-4df9-80ea-000000000006",
},
},
},
},
Expand Down

0 comments on commit cbba6d1

Please sign in to comment.