fix(cyclonedx): fix work when there are same pkgs from different dirs #5798
Conversation
There was a problem hiding this comment.
I only separated same packages from different directories.
But looks like we can merge these packages into 1 component with multiple aquasecurity:trivy:FilePath properties.
e.g.:
"components": [
{
"bom-ref": "pkg:maven/com.fasterxml.jackson.core/[email protected]?file_path=dir1%2Fjackson-databind-2.13.4.jar",
"type": "library",
"group": "com.fasterxml.jackson.core",
"name": "jackson-databind",
"version": "2.13.4",
"purl": "pkg:maven/com.fasterxml.jackson.core/[email protected]",
"properties": [
{
"name": "aquasecurity:trivy:FilePath",
"value": "dir1/jackson-databind-2.13.4.jar"
},
{
"name": "aquasecurity:trivy:FilePath",
"value": "dir2/jackson-databind-2.13.4.jar"
},
{
"name": "aquasecurity:trivy:PkgType",
"value": "jar"
}
]
}
],CycloneDX supports duplicate keys for properties: Unlike key-value stores, properties support duplicate names, each potentially having different values
https://cyclonedx.org/docs/1.5/json/#components_items_properties
@knqyf263 wdyt?
| }) | ||
|
|
||
| // Create package map | ||
| pkgs := lo.SliceToMap(result.Packages, func(pkg ftypes.Package) (string, Package) { | ||
| pkgID := lo.Ternary(pkg.ID == "", fmt.Sprintf("%s@%s", pkg.Name, utils.FormatVersion(pkg)), pkg.ID) | ||
| // To avoid skip same packages with different paths | ||
| if pkg.FilePath != "" { |
There was a problem hiding this comment.
This only applies to Packages (jar, package.json, etc.) because pkg.FilePath is only saved for Packages:
trivy/pkg/fanal/types/artifact.go
Lines 91 to 92 in abf227e
There was a problem hiding this comment.
pkgs map is used only for dependency iteration.
But Packages don't contain dependencies (DependsOn fields).
So it doesn't break logic.
There was a problem hiding this comment.
I thought about saving slice of ftypes.Package's or slice of FilePath's, but i understood that we still can't get correct package, because DependsOn doesn't currently contain info about filepath.
Looks like this update is enough for now.
If we will add Package with DependsOn - we will need to update DependsOn struct (and logic for this) and we can update logic for CycloneDX.
| @@ -144,12 +144,20 @@ func (e *Marshaler) marshalPackages(metadata types.Metadata, result types.Result | |||
|
|
|||
| // Group vulnerabilities by package ID | |||
| vulns := lo.GroupBy(result.Vulnerabilities, func(v types.DetectedVulnerability) string { | |||
| return lo.Ternary(v.PkgID == "", fmt.Sprintf("%s@%s", v.PkgName, v.InstalledVersion), v.PkgID) | |||
| pkgID := lo.Ternary(v.PkgID == "", fmt.Sprintf("%s@%s", v.PkgName, v.InstalledVersion), v.PkgID) | |||
| if v.PkgPath != "" { | |||
There was a problem hiding this comment.
same:
trivy/pkg/detector/library/detect.go
Line 35 in abf227e
|
This PR is stale because it has been labeled with inactivity. |
github-actions
bot
added
the
lifecycle/stale
DmitriyLewen
removed
the
lifecycle/stale
|
This PR is stale because it has been labeled with inactivity. |
github-actions
bot
added
the
lifecycle/stale
|
This should be reviewed... |
github-actions
bot
removed
the
lifecycle/stale
|
#6240 fixed this problem. |
Description
Fixes for cases when same packages are found in different directories:
➜ tree dir dir ├── dir1 │ └── jackson-databind-2.13.4.jar └── dir2 └── jackson-databind-2.13.4.jarbefore:
after:
vulnerabilities.affects.before(dir2 and dir2):
after(dir1 + dir2):
Related issues
Checklist