From 7eabb92ec2e617300433445718be07ac74956454 Mon Sep 17 00:00:00 2001 From: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com> Date: Fri, 21 Jun 2024 14:14:50 +0600 Subject: [PATCH] fix(sbom): use `purl` for `bitnami` pkg names (#6982) Co-authored-by: Teppei Fukuda --- pkg/fanal/analyzer/sbom/sbom_test.go | 26 +++++++++++++------------- pkg/sbom/io/decode.go | 8 ++++++++ 2 files changed, 21 insertions(+), 13 deletions(-) diff --git a/pkg/fanal/analyzer/sbom/sbom_test.go b/pkg/fanal/analyzer/sbom/sbom_test.go index cce12a7c4955..542a7f50addd 100644 --- a/pkg/fanal/analyzer/sbom/sbom_test.go +++ b/pkg/fanal/analyzer/sbom/sbom_test.go @@ -93,8 +93,8 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) { FilePath: "opt/bitnami/elasticsearch", Packages: types.Packages{ { - ID: "Elasticsearch@8.9.1", - Name: "Elasticsearch", + ID: "elasticsearch@8.9.1", + Name: "elasticsearch", Version: "8.9.1", Arch: "arm64", Licenses: []string{"Elastic-2.0"}, @@ -174,8 +174,8 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) { FilePath: "opt/bitnami/postgresql", Packages: types.Packages{ { - ID: "GDAL@3.7.1", - Name: "GDAL", + ID: "gdal@3.7.1", + Name: "gdal", Version: "3.7.1", Licenses: []string{"MIT"}, Identifier: types.PkgIdentifier{ @@ -187,8 +187,8 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) { }, }, { - ID: "GEOS@3.8.3", - Name: "GEOS", + ID: "geos@3.8.3", + Name: "geos", Version: "3.8.3", Licenses: []string{"LGPL-2.1-only"}, Identifier: types.PkgIdentifier{ @@ -200,8 +200,8 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) { }, }, { - ID: "PostgreSQL@15.3.0", - Name: "PostgreSQL", + ID: "postgresql@15.3.0", + Name: "postgresql", Version: "15.3.0", Licenses: []string{"PostgreSQL"}, Identifier: types.PkgIdentifier{ @@ -212,14 +212,14 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) { }, }, DependsOn: []string{ - "GEOS@3.8.3", - "Proj@6.3.2", - "GDAL@3.7.1", + "geos@3.8.3", + "proj@6.3.2", + "gdal@3.7.1", }, }, { - ID: "Proj@6.3.2", - Name: "Proj", + ID: "proj@6.3.2", + Name: "proj", Version: "6.3.2", Licenses: []string{"MIT"}, Identifier: types.PkgIdentifier{ diff --git a/pkg/sbom/io/decode.go b/pkg/sbom/io/decode.go index 707ed9a4c8dc..b740d756c4bd 100644 --- a/pkg/sbom/io/decode.go +++ b/pkg/sbom/io/decode.go @@ -256,6 +256,14 @@ func (m *Decoder) pkgName(pkg *ftypes.Package, c *core.Component) string { return pkg.Name } + // TODO(backward compatibility): Remove after 03/2025 + // Bitnami used different pkg.Name and the name from PURL. + // For backwards compatibility - we need to use PURL. + // cf. https://github.com/aquasecurity/trivy/issues/6981 + if c.PkgIdentifier.PURL.Type == packageurl.TypeBitnami { + return pkg.Name + } + if c.Group != "" { if p.Type == packageurl.TypeMaven || p.Type == packageurl.TypeGradle { return c.Group + ":" + c.Name