Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(sbom): duplicate dependson #3261

Merged
merged 2 commits into from
Dec 4, 2022
Merged

fix(sbom): duplicate dependson #3261

merged 2 commits into from
Dec 4, 2022

Conversation

masahiro331
Copy link
Contributor

@masahiro331 masahiro331 commented Dec 3, 2022
edited
Loading

Description

  • Changed to avoid duplicate dependsOn.
  • Changed to create Application Component with RustBinary and GoBinary.

Related issues

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@masahiro331 masahiro331 marked this pull request as ready for review December 3, 2022 10:02
knqyf263
knqyf263 reviewed Dec 4, 2022
View reviewed changes
pkg/sbom/cyclonedx/marshal.go
@@ -205,6 +205,7 @@ func (e *Marshaler) marshalComponents(r types.Report, bomRef string) (*[]cdx.Com
pkgID := packageID(result.Target, pkg.Name, utils.FormatVersion(pkg), pkg.FilePath)
if _, ok := bomRefMap[pkgID]; !ok {
bomRefMap[pkgID] = pkgComponent.BOMRef
componentDependencies = append(componentDependencies, cdx.Dependency{Ref: pkgComponent.BOMRef})
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why could it be duplicated? componentDependencies is defined per types.Result. The duplicate should not exist in Result.Packages.

knqyf263
knqyf263 reviewed Dec 4, 2022
View reviewed changes
pkg/sbom/cyclonedx/marshal.go
@@ -247,8 +246,8 @@ func (e *Marshaler) marshalComponents(r types.Report, bomRef string) (*[]cdx.Com
}
}

if result.Type == ftypes.NodePkg || result.Type == ftypes.PythonPkg || result.Type == ftypes.GoBinary ||
result.Type == ftypes.GemSpec || result.Type == ftypes.Jar || result.Type == ftypes.RustBinary {
if result.Type == ftypes.NodePkg || result.Type == ftypes.PythonPkg ||
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like this is the root. We aggregate Go/Rust binaries by mistake.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are we no longer aggregating these components with this change, or would this only filter duplicates?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We no longer aggregate dependencies in Go/Rust binaries. It should have been a mistake.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh no. I was relying on this feature in my project. Any ideas for enabling go/rust binary parsing while generating SBoM with the new release?

Copy link
Contributor Author

@masahiro331 masahiro331 Dec 8, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No problem.

This feature modifies packages that depend on binaries so that they are not aggregated.

Before. (Aggregate package with the golang)

golang
 -  package A
 -  package B
 -  package C

After (Aggregate package with the package)

Binary A 
- package A
- package B

Binary B 
- package C

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We just don't aggregate those dependencies. You are still able to see those packages in SBOM.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you, @masahiro331 and @knqyf263, for the detailed explanation!

@knqyf263 knqyf263 merged commit cbba6d1 into aquasecurity:main Dec 4, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@prabhu prabhu prabhu left review comments

@knqyf263 knqyf263 knqyf263 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Trivy is not generating compliant cyclonedx json
3 participants
@masahiro331 @prabhu @knqyf263