Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add relationships #6563

Merged
merged 34 commits into from
Apr 27, 2024
Merged

feat: add relationships #6563

merged 34 commits into from
Apr 27, 2024

Conversation

knqyf263
Copy link
Collaborator

@knqyf263 knqyf263 commented Apr 25, 2024

Description

This PR adds a new field, Relationship to Package and deprecates Indirect.

We currently set Indirect to true when the relationship is unknown, but this PR stops doing that and uses RelationshipUnknown.

Also, root packages are treated as direct packages now, but with the introduction of RelationshipRoot, the hierarchical structure is now handled correctly; SBOM reflects this, and the relationship would be like Root package -> Direct packages -> Indirect packages.

See #6092 for more details.

Related issues

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

knqyf263 added 22 commits April 23, 2024 14:55
Signed-off-by: knqyf263 <[email protected]>
@knqyf263 knqyf263 self-assigned this Apr 25, 2024
@knqyf263 knqyf263 marked this pull request as ready for review April 25, 2024 20:08
@knqyf263 knqyf263 requested a review from DmitriyLewen as a code owner April 25, 2024 20:08
Copy link
Contributor

@DmitriyLewen DmitriyLewen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@knqyf263 i left some comments.

Also some thoughts:

  1. Just as idea:
    Add Relationship for sorting Libraries:
    root -> direct deps -> indirect deps:
    or simple set root package first (root -> other deps)
    e.g. -
    want: []types.Library{
    {
    ID: "com.example:hard:1.0.0",
    Name: "com.example:hard",
    Version: "1.0.0",
    License: "Apache 2.0",
    Relationship: types.RelationshipRoot,
    },
    {
    ID: "org.example:example-api:2.0.0",
    Name: "org.example:example-api",
    Version: "2.0.0",
    License: "The Apache Software License, Version 2.0",
    Relationship: types.RelationshipIndirect,
    },
    {
    ID: "org.example:example-dependency:1.2.3",
    Name: "org.example:example-dependency",
    Version: "1.2.3",
    Relationship: types.RelationshipDirect,
    Locations: types.Locations{
    {
    StartLine: 33,
    EndLine: 37,
    },
    },
    },
    {
    ID: "org.example:example-nested:3.3.4",
    Name: "org.example:example-nested",
    Version: "3.3.4",
    Relationship: types.RelationshipDirect,
    Locations: types.Locations{
    {
    StartLine: 28,
    EndLine: 32,
    },
    },
    },
    },
  2. Perhaps we want to mark aggregated package (i mean jar, package.json, etc.) as RelationshipRoot?

integration/testdata/conan.json.golden Outdated Show resolved Hide resolved
pkg/dependency/types/types.go Outdated Show resolved Hide resolved
pkg/dependency/parser/golang/mod/parse.go Outdated Show resolved Hide resolved
pkg/dependency/parser/golang/mod/parse.go Outdated Show resolved Hide resolved
pkg/dependency/parser/rust/binary/parse_test.go Outdated Show resolved Hide resolved
pkg/sbom/io/encode_test.go Show resolved Hide resolved
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we need to update logic for files without direct dependencies.
But perhaps this is just another PR job.

Also vulnerability_test.go doesn't use new fields:

{
ID: "[email protected]",
Name: "node-fetch",
Version: "1.7.3",
Indirect: true,
},

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also vulnerability_test.go doesn't use new fields:

Fixed a0667ed

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we need to update logic for files without direct dependencies.

Which files?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I meant files like package-lock.json v1 (there is info about child deps, but not about direct deps).

But I rechecked our logic. It looks like it fit perfectly without any changes.
But it would be nice to update the comment here:

// Direct dependencies cannot be identified in some package managers like "package-lock.json" v1,
// then the "Indirect" field can be always true. We try to guess direct dependencies in this case.
// A dependency with no parents must be a direct dependency.
//
// e.g.
// -> styled-components
// -> fbjs
// -> isomorphic-fetch
// -> node-fetch
//
// Even if `styled-components` is not marked as a direct dependency, it must be a direct dependency
// as it has no parents. Note that it doesn't mean `fbjs` is an indirect dependency.
ancestors[parent.ID] = struct{}{}

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done 4ea19d1

@knqyf263
Copy link
Collaborator Author

knqyf263 commented Apr 26, 2024

  1. Just as idea:
    Add Relationship for sorting Libraries:
    root -> direct deps -> indirect deps:
    or simple set root package first (root -> other deps)

Sounds good. Added in 7a1c9a8

  1. Perhaps we want to mark aggregated package (i mean jar, package.json, etc.) as RelationshipRoot?

I'm not sure about it. The relationship currently represents a relationship in a project, and I feel like the relationships of these standalone packages are unknown.

@knqyf263 knqyf263 requested a review from DmitriyLewen April 26, 2024 09:46
@knqyf263
Copy link
Collaborator Author

@DmitriyLewen I think I've reflected your comments. Please take another look.

Copy link
Contributor

@DmitriyLewen DmitriyLewen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.
Left 1 small comment.

pkg/dependency/parser/gradle/lockfile/parse.go Outdated Show resolved Hide resolved
@knqyf263 knqyf263 added this pull request to the merge queue Apr 27, 2024
Merged via the queue into aquasecurity:main with commit 6343e4f Apr 27, 2024
12 checks passed
@knqyf263 knqyf263 mentioned this pull request Apr 27, 2024
7 tasks
@knqyf263 knqyf263 deleted the relationships branch May 1, 2024 16:36
fl0pp5 pushed a commit to altlinux/trivy that referenced this pull request May 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Replace Indirect Boolean with Enum Field
2 participants