Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Preserve Linux source package name #126

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Preserve Linux source package name #126

wants to merge 2 commits into from

Conversation

tofay
Copy link
Contributor

@tofay tofay commented Jun 13, 2022

I've updated the LinuxComponent to include the source package name where possible.

Why?
Many Linux distributions (debian/alpine/mariner) publish CVE data against source package names only, so this is required for users to CVE check against the output of component-detection.

Note: Syft doesn't always provide the source package name (it doesn't appear to provide this for ubuntu packages when the source and binary package names are the same).

This builds on #88, but adds a new field to LinuxComponent instead of of making the Name of LinuxComponent be the source package name iff the distro publishes CVEs against source package name.

JamieMagee and others added 2 commits June 11, 2022 07:16
@JamieMagee @tofay
fix(linux): add logic to parse the upstream package name
a0b199a 
The package name does not always line up 100% with the upstream or source name. For example some Linux distributions suffix the major version to differentiate i.e. python2 and python3. These should both be mapped back to python.

This PR also adds `ResourceUtilities` with the `LoadTextAsync` method, and also bundles a `Resources` directory in test projects. This should make it easier to load mocks from files for tests. Instead of having to embed them in the C# source.
@tofay
Add source name to LinuxComponent
c9b9df3 
To allow clients to match against binary package name
or source package name, as some distributions publish
publish vulnerabilities against source package name.

Signed-off-by: Tom Fay <tomfay@microsoft.com>
@tofay tofay requested a review from a team as a code owner June 13, 2022 10:41
@tofay tofay requested a review from jcfiorenzano June 13, 2022 10:41
@tofay tofay mentioned this pull request Jun 13, 2022
Open
@cobya cobya added type:feature Feature (new functionality) detector:linux The Linux detector labels Jun 27, 2022
@cobya cobya requested a review from JamieMagee July 5, 2022 21:18
@cobya
Copy link
Contributor

cobya commented Jul 5, 2022

@JamieMagee you probably have the most context to review this

@tofay
Copy link
Contributor Author

tofay commented Nov 30, 2022

@JamieMagee before I rebase this, is this a change that you'd accept?

My team is currently working around this by discovering source packages where binary name != source name and registering them ourselves, but ideally we wouldn't have to.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jcfiorenzano jcfiorenzano Awaiting requested review from jcfiorenzano jcfiorenzano is a code owner automatically assigned from microsoft/ose-component-detection-maintainers

@JamieMagee JamieMagee Awaiting requested review from JamieMagee

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
detector:linux The Linux detector type:feature Feature (new functionality)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@tofay @cobya @JamieMagee