Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(linux): add logic to parse the upstream package name #88

Closed
wants to merge 2 commits into from
Closed

fix(linux): add logic to parse the upstream package name #88

wants to merge 2 commits into from

Conversation

JamieMagee
Copy link
Member

The package name does not always line up 100% with the upstream or source name. For example some Linux distributions suffix the major version to differentiate i.e. python2 and python3. These should both be mapped back to python.

This PR also adds ResourceUtilities with the LoadTextAsync method, and also bundles a Resources directory in test projects. This should make it easier to load mocks from files for tests. Instead of having to embed them in the C# source.

@JamieMagee JamieMagee requested a review from a team as a code owner April 4, 2022 20:56
@JamieMagee JamieMagee requested a review from jcfiorenzano April 4, 2022 20:56
@JamieMagee
fix(linux): add logic to parse the upstream package name
917d590 
The package name does not always line up 100% with the upstream or source name. For example some Linux distributions suffix the major version to differentiate i.e. python2 and python3. These should both be mapped back to python.

This PR also adds `ResourceUtilities` with the `LoadTextAsync` method, and also bundles a `Resources` directory in test projects. This should make it easier to load mocks from files for tests. Instead of having to embed them in the C# source.
@JamieMagee JamieMagee force-pushed the users/jamagee/linux-package-source-name branch from 8d1c9ce to 917d590 Compare April 4, 2022 21:35
@github-actions
Copy link

github-actions bot commented Apr 4, 2022

👋 Hi! It looks like you modified some files in the Detectors folder.
You may need to bump the detector versions if any of the following scenarios apply:

  • The detector detects more or fewer components than before
  • The detector generates different parent/child graph relationships than before
  • The detector generates different devDependencies values than before

If none of the above scenarios apply, feel free to ignore this comment 🙂

tofay
tofay reviewed Apr 5, 2022
View reviewed changes
src/Microsoft.ComponentDetection.Detectors/linux/LinuxScanner.cs
: package.Metadata.Source;
break;
case "RpmdbMetadata":
name = package.Metadata.Name;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we can consistently choose either the binary package name or the source package name for all RPM based distros. Mariner publishes vulnerabilities under source package names, as does SUSE. But RHEL (also used for centos vulns) publish vulnerabilities under the binary package names.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay, but we just need a more granular decision tree here?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. (Though per my email, I'm not sure if component governance might have a need for both binary and source package name.)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Given that component-detection doesn't do vulnerability scanning itself, and supports usages other than vulnerability scanning (e.g SBOMs, ad-hoc inventory analysis) I don't think component-detection

  • should discard the binary package name
  • have the API for the Name field be dependent on the current CVE security behaviour of various distros

I've proposed an alternative in #126 which is to keep both binary and source package name.

@JamieMagee JamieMagee added type:bug Bug fix of existing functionality detector:linux The Linux detector labels Apr 18, 2022
@tofay tofay mentioned this pull request Jun 13, 2022
Closed
@FernandoRojo
Copy link
Contributor

Closing PR due to conflicts / overlap with #126 , and low priority, will revisit if prioritization increases.

@FernandoRojo FernandoRojo mentioned this pull request Oct 28, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tofay tofay tofay left review comments

@jcfiorenzano jcfiorenzano Awaiting requested review from jcfiorenzano jcfiorenzano is a code owner automatically assigned from microsoft/ose-component-detection-maintainers

Assignees
No one assigned
Labels
detector:linux The Linux detector type:bug Bug fix of existing functionality
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@JamieMagee @FernandoRojo @tofay