-
Notifications
You must be signed in to change notification settings - Fork 153
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ENT] fix issue with index on artifact #1835
Conversation
Signed-off-by: pxp928 <parth.psu@gmail.com>
Signed-off-by: pxp928 <parth.psu@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So, it makes sense to key on both algorithm and digest. We would prevent cases when an artifact with algorithm A has hash H and another artifact with algorithm B has the same hash H, same length, same contents.
But I don't see how this matches with the issue. Here it looks like the same jar was given 4 different paths, if I understand the PR message correctly. Just checking, do we also canonicalize algorithm to lower case?
The question was if that is valid. The same jar with different paths having the same SHA1?
Yes we do. This is also tested in the unit test. |
This should still be just one artifact, we don't care about the path in the noun. Is the path from the SBOM? We'd then have 4 different |
Signed-off-by: pxp928 <parth.psu@gmail.com>
yeah disregard that. It is not part of the issue. Mistake on my end. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@pxp928 thanks 👍
* fix issue with index on artifact Signed-off-by: pxp928 <parth.psu@gmail.com> * add test to capture this usecase Signed-off-by: pxp928 <parth.psu@gmail.com> * remove digest only index in arrango Signed-off-by: pxp928 <parth.psu@gmail.com> --------- Signed-off-by: pxp928 <parth.psu@gmail.com> Signed-off-by: Soham Arora <arorasoham9@gmail.com>
Description of the PR
closes #1816
No errors when ingesting
cdx_vuln.json
andspdx_vuln.json
The trivy CDX SBOM has algo as "SHA-1" while SPDX has "SHA1" (with the same digest). This caused the issue.
spdx_vuln.json
PR Checklist
-s
flag togit commit
.make generate
has been runmake generate
has been runcollectsub
protobuf has been changed,make proto
has been run