Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(cyclonedx): set original names for packages #4306

Merged
merged 10 commits into from
May 23, 2023
Merged

fix(cyclonedx): set original names for packages #4306

merged 10 commits into from
May 23, 2023

Conversation

afdesk
Copy link
Contributor

@afdesk afdesk commented May 10, 2023
edited
Loading

Description

When Trivy creates sbom-ref, it converts a name to low-case for several packages (Go - https://github.com/aquasecurity/trivy/blob/main/pkg/purl/purl.go#L285, npm, PyPI). It's done according to the spec:

The namespace and name must be lowercased.

But when Trivy does unmarshall from sbom-ref it loses case-sensitivity.

So we have to set an original name for a Go package name (Name is a mandatory field for the components).

Related issues

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@afdesk afdesk changed the title fix(cyclonedx): case-sensitive in component names fix(cyclonedx): set original package names May 11, 2023
@afdesk afdesk marked this pull request as ready for review May 11, 2023 09:11
@afdesk afdesk requested a review from knqyf263 as a code owner May 11, 2023 09:11
knqyf263
knqyf263 reviewed May 11, 2023
View reviewed changes
pkg/sbom/cyclonedx/unmarshal.go Outdated
Comment on lines 344 to 346
if component.Name != "" {
pkg.Name = component.Name
}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need a comment on why it is needed.

@afdesk afdesk changed the title fix(cyclonedx): set original package names fix(cyclonedx): set original names for Go packages May 11, 2023
@afdesk afdesk requested a review from knqyf263 May 11, 2023 13:11
knqyf263
knqyf263 reviewed May 22, 2023
View reviewed changes
pkg/sbom/cyclonedx/unmarshal.go Outdated
@@ -341,6 +341,11 @@ func toPackage(component cdx.Component) (bool, string, *ftypes.Package, error) {
}

pkg := p.Package()
// Trivy's marshall loses case-sensitivity in PURL used in SBOM for Go,
// so we have to use an original package name
if p.PackageType() == ftypes.GoBinary {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm wondering if this problem is applied to other languages as well. What if removing the if-statement?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you're right. there are uses ToLower for PyPI and npm, so it can arise such issue for them.
let's try to remove this if statement

@afdesk afdesk requested a review from knqyf263 May 23, 2023 08:20
@afdesk afdesk changed the title fix(cyclonedx): set original names for Go packages fix(cyclonedx): set original names for packages May 23, 2023
@knqyf263 knqyf263 merged commit 3f0721f into aquasecurity:main May 23, 2023
@DmitriyLewen DmitriyLewen mentioned this pull request Sep 18, 2023
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@knqyf263 knqyf263 knqyf263 approved these changes

Assignees

@afdesk afdesk

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Vulnerabilities identified in a scan using Trivy can differ depending on whether an image or an SBOM is used.
2 participants
@afdesk @knqyf263