-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(sbom): use root package for unknown
dependencies (if exists)
#8104
fix(sbom): use root package for unknown
dependencies (if exists)
#8104
Conversation
@@ -417,20 +417,33 @@ func (*Encoder) belongToParent(pkg ftypes.Package, parents map[string]ftypes.Pac | |||
// All packages are included in the parent | |||
// Case 3: Relationship: known , DependsOn: unknown (e.g., go.mod without $GOPATH) | |||
// All packages are included in the parent | |||
// Case 4: Relationship: unknown, DependsOn: known (e.g., OS packages) | |||
// All packages are included in the parent even if they have parents | |||
// Case 4: Relationship: unknown, DependsOn: known (e.g., GoBinaries, OS packages) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Given that RelationshipUnknown
has been introduced now, I'm wondering if this behavior is good in the first place.
In OS packages, packages with no parent are sure to be direct dependencies, but other packages are unknown, so it may be better not to add them as direct dependencies. Then, our logic is simple: no parent packages belong to a non-package parent (OS
, Application
component, etc.).
This will not be a problem when applying VEX, etc., since packages with at least one parent can always be present in the dependency tree.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
BTW, I found compositions. We may want to fill in this field to represent incomplete relationships.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hm... you solution looks logical.
if Relationship
is unknown and packages has parents - most likely it is one of two options:
- this is direct package (like in out logic for dep tree)
- this is orphan package and it makes sense to add it for parent (OS/Application) component.
Also, after changes, dependencies graph looks logical:
before:
{
Ref: "3ff14136-e09f-4df9-80ea-000000000002", // OS component
Dependencies: &[]string{
"pkg:rpm/centos/[email protected]?arch=aarch64&distro=centos-8.3.2011&epoch=1",
"pkg:rpm/centos/[email protected]?arch=aarch64&distro=centos-8.3.2011",
},
},
{
Ref: "pkg:rpm/centos/[email protected]?arch=aarch64&distro=centos-8.3.2011&epoch=1",
Dependencies: &[]string{
"pkg:rpm/centos/[email protected]?arch=aarch64&distro=centos-8.3.2011",
},
},
after:
{
Ref: "3ff14136-e09f-4df9-80ea-000000000002",
Dependencies: &[]string{
"pkg:rpm/centos/[email protected]?arch=aarch64&distro=centos-8.3.2011&epoch=1",
},
},
{
Ref: "pkg:rpm/centos/[email protected]?arch=aarch64&distro=centos-8.3.2011&epoch=1",
Dependencies: &[]string{
"pkg:rpm/centos/[email protected]?arch=aarch64&distro=centos-8.3.2011",
},
},
I updated logic in 17c3735 (tests - fbe7fd5)
BTW, I found compositions. We may want to fill in this field to represent incomplete relationships.
I'm not sure about that.
This may complicate the logic of understanding and processing cyclonedx files.
Also, we need to use different logic for CycloneDX and SPDX files.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I agree, but it's recommended here.
It is RECOMMENDED to leverage compositions to indicate unknown dependency graphs.
And I didn't find any other ways to represent the dependency graph is incomplete.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Created #8157
@aqua-bot backport release/v0.58 |
Backport PR created: #8156 |
Description
Use root package for
unknown
dependencies (if exists)e.g. for GoBinaries (see update test).
See #8102 for more details.
Also this PR fixes problem with VEX with subcomponents:
before:
after:
Related issues
unknown
dependencies are related to application component and not root component #8102Related PRs
Checklist