From f3c3d3d98e991d954d1f16fa643fd51774128be1 Mon Sep 17 00:00:00 2001 From: Justin Chadwell Date: Mon, 22 Aug 2022 15:29:00 +0100 Subject: [PATCH] Prevent symlinks causing duplicate package-file relationships (#1168) --- syft/pkg/cataloger/catalog.go | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/syft/pkg/cataloger/catalog.go b/syft/pkg/cataloger/catalog.go index fa0e4d72da03..c9bd4f51a4f4 100644 --- a/syft/pkg/cataloger/catalog.go +++ b/syft/pkg/cataloger/catalog.go @@ -110,29 +110,36 @@ func packageFileOwnershipRelationships(p pkg.Package, resolver source.FilePathRe return nil, nil } - var relationships []artifact.Relationship + locations := map[artifact.ID]source.Location{} for _, path := range fileOwner.OwnedFiles() { - locations, err := resolver.FilesByPath(path) + pathRefs, err := resolver.FilesByPath(path) if err != nil { return nil, fmt.Errorf("unable to find path for path=%q: %w", path, err) } - if len(locations) == 0 { + if len(pathRefs) == 0 { // ideally we want to warn users about missing files from a package, however, it is very common for // container image authors to delete files that are not needed in order to keep image sizes small. Adding // a warning here would be needlessly noisy (even for popular base images). continue } - for _, l := range locations { - relationships = append(relationships, artifact.Relationship{ - From: p, - To: l.Coordinates, - Type: artifact.ContainsRelationship, - }) + for _, ref := range pathRefs { + if oldRef, ok := locations[ref.Coordinates.ID()]; ok { + log.Debugf("found path duplicate of %s", oldRef.RealPath) + } + locations[ref.Coordinates.ID()] = ref } } + var relationships []artifact.Relationship + for _, location := range locations { + relationships = append(relationships, artifact.Relationship{ + From: p, + To: location.Coordinates, + Type: artifact.ContainsRelationship, + }) + } return relationships, nil }