Skip to content

Commit

Permalink
merge_cachi2_sboms: handle subpaths in syft purls
Browse files Browse the repository at this point in the history 
This removes 4 of the 5 false-positive Go modules in the merged SBOM.
One remains - Syft reports it *completely* wrong, not much we can do
about that.

Signed-off-by: Adam Cmiel <[email protected]>
  • Loading branch information
@chmeliik
chmeliik committed Dec 18, 2024
1 parent 5ab7138 commit 10b61d8
Show file tree
Hide file tree
Showing 3 changed files with 19 additions and 248 deletions.
23 changes: 19 additions & 4 deletions sbom-utility-scripts/scripts/merge-cachi2-sboms-script/merge_cachi2_sboms.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,12 @@ def unwrap_from_cdx(items: list[CDXComponent]) -> list[dict[str, Any]]:
return [c.data for c in items]


def _subpath_is_version(subpath: str) -> bool:
# pkg:golang/github.com/cachito-testing/[email protected]#terminaltor -> subpath is a subpath
# pkg:golang/github.com/cachito-testing/[email protected]#v2 -> subpath is a version. Thanks, Syft.
return subpath.startswith("v") and subpath.removeprefix("v").isdecimal()


def _is_syft_local_golang_component(component: SBOMItem) -> bool:
"""
Check if a Syft Golang reported component is a local replacement.
Expand All @@ -55,6 +61,8 @@ def _is_syft_local_golang_component(component: SBOMItem) -> bool:
purl = component.purl()
if not purl or purl.type != "golang":
return False
if (subpath := purl.subpath) and not _subpath_is_version(subpath):
return True
return component.name().startswith(".") or component.version() == "(devel)"


Expand Down Expand Up @@ -109,14 +117,21 @@ def _unique_key_syft(component: SBOMItem) -> str:
return component.name() + "@" + component.version()

name = purl.name
version = purl.version
subpath = purl.subpath

if purl.type == "pypi":
name = name.lower()

version = purl.version
if purl.type == "golang" and version:
version = quote_plus(version)
if purl.type == "golang":
if version:
version = quote_plus(version)
if subpath and _subpath_is_version(subpath):
# put the module version where it belongs (in the module name)
name = f"{name}/{subpath}"
subpath = None

return purl._replace(name=name, version=version).to_string()
return purl._replace(name=name, version=version, subpath=subpath).to_string()


def _get_syft_component_filter(cachi_sbom_components: Sequence[SBOMItem]) -> Callable[[SBOMItem], bool]:
Expand Down
240 changes: 0 additions & 240 deletions sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_data/merged.bom.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -363,246 +363,6 @@
"type": "library",
"version": "3.16-5.el9"
},
{
"bom-ref": "pkg:golang/github.com/cachito-testing/[email protected]?package-id=146c86ecdbb0cfe7#terminaltor",
"cpe": "cpe:2.3:a:cachito-testing:gomod-pandemonium\\/terminaltor:v0.0.0:*:*:*:*:*:*:*",
"name": "github.com/cachito-testing/gomod-pandemonium/terminaltor",
"properties": [
{
"name": "syft:package:foundBy",
"value": "sbom-cataloger"
},
{
"name": "syft:package:language",
"value": "go"
},
{
"name": "syft:package:type",
"value": "go-module"
},
{
"name": "syft:package:metadataType",
"value": "go-module-entry"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:cachito-testing:gomod_pandemonium\\/terminaltor:v0.0.0:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:cachito_testing:gomod-pandemonium\\/terminaltor:v0.0.0:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:cachito_testing:gomod_pandemonium\\/terminaltor:v0.0.0:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:cachito:gomod-pandemonium\\/terminaltor:v0.0.0:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:cachito:gomod_pandemonium\\/terminaltor:v0.0.0:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:cachito-testing:gomod-pandemonium\\/terminaltor:v0.0.0:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:cachito-testing:gomod_pandemonium\\/terminaltor:v0.0.0:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:cachito_testing:gomod-pandemonium\\/terminaltor:v0.0.0:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:cachito_testing:gomod_pandemonium\\/terminaltor:v0.0.0:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:cachito:gomod-pandemonium\\/terminaltor:v0.0.0:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:cachito:gomod_pandemonium\\/terminaltor:v0.0.0:*:*:*:*:*:*:*"
},
{
"name": "syft:location:0:path",
"value": "/gomod-pandemonium.bom.json"
}
],
"purl": "pkg:golang/github.com/cachito-testing/[email protected]#terminaltor",
"type": "library",
"version": "v0.0.0"
},
{
"bom-ref": "pkg:golang/github.com/cachito-testing/[email protected]?package-id=fa2ffebd22241e0d#weird",
"cpe": "cpe:2.3:a:cachito-testing:gomod-pandemonium\\/weird:v0.0.0:*:*:*:*:*:*:*",
"name": "github.com/cachito-testing/gomod-pandemonium/weird",
"properties": [
{
"name": "syft:package:foundBy",
"value": "sbom-cataloger"
},
{
"name": "syft:package:language",
"value": "go"
},
{
"name": "syft:package:type",
"value": "go-module"
},
{
"name": "syft:package:metadataType",
"value": "go-module-entry"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:cachito-testing:gomod_pandemonium\\/weird:v0.0.0:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:cachito_testing:gomod-pandemonium\\/weird:v0.0.0:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:cachito_testing:gomod_pandemonium\\/weird:v0.0.0:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:cachito:gomod-pandemonium\\/weird:v0.0.0:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:cachito:gomod_pandemonium\\/weird:v0.0.0:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:cachito-testing:gomod-pandemonium\\/weird:v0.0.0:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:cachito-testing:gomod_pandemonium\\/weird:v0.0.0:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:cachito_testing:gomod-pandemonium\\/weird:v0.0.0:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:cachito_testing:gomod_pandemonium\\/weird:v0.0.0:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:cachito:gomod-pandemonium\\/weird:v0.0.0:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:cachito:gomod_pandemonium\\/weird:v0.0.0:*:*:*:*:*:*:*"
},
{
"name": "syft:location:0:path",
"value": "/gomod-pandemonium.bom.json"
}
],
"purl": "pkg:golang/github.com/cachito-testing/[email protected]#weird",
"type": "library",
"version": "v0.0.0"
},
{
"bom-ref": "pkg:golang/github.com/cachito-testing/[email protected]?package-id=6db993d8ef0e368a#v2",
"cpe": "cpe:2.3:a:cachito-testing:retrodep\\/v2:v2.1.1:*:*:*:*:*:*:*",
"name": "github.com/cachito-testing/retrodep/v2",
"properties": [
{
"name": "syft:package:foundBy",
"value": "sbom-cataloger"
},
{
"name": "syft:package:language",
"value": "go"
},
{
"name": "syft:package:type",
"value": "go-module"
},
{
"name": "syft:package:metadataType",
"value": "go-module-entry"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:cachito_testing:retrodep\\/v2:v2.1.1:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:cachito:retrodep\\/v2:v2.1.1:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:cachito-testing:retrodep\\/v2:v2.1.1:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:cachito_testing:retrodep\\/v2:v2.1.1:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:cachito:retrodep\\/v2:v2.1.1:*:*:*:*:*:*:*"
},
{
"name": "syft:location:0:path",
"value": "/gomod-pandemonium.bom.json"
},
{
"name": "syft:metadata:h1Digest",
"value": "h1:inziEuX1Zo/BJv1pgZ2tRPltfQVJaVpRmIlsomaKMb0="
}
],
"purl": "pkg:golang/github.com/cachito-testing/[email protected]#v2",
"type": "library",
"version": "v2.1.1"
},
{
"bom-ref": "pkg:golang/github.com/onsi/[email protected]?package-id=dbe722f079d05fed#v2",
"cpe": "cpe:2.3:a:onsi:ginkgo\\/v2:v2.9.2:*:*:*:*:*:*:*",
"name": "github.com/onsi/ginkgo/v2",
"properties": [
{
"name": "syft:package:foundBy",
"value": "sbom-cataloger"
},
{
"name": "syft:package:language",
"value": "go"
},
{
"name": "syft:package:type",
"value": "go-module"
},
{
"name": "syft:package:metadataType",
"value": "go-module-entry"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:onsi:ginkgo\\/v2:v2.9.2:*:*:*:*:*:*:*"
},
{
"name": "syft:location:0:path",
"value": "/gomod-pandemonium.bom.json"
},
{
"name": "syft:metadata:h1Digest",
"value": "h1:BA2GMJOtfGAfagzYtrAlufIP0lq6QERkFmHLMLPwFSU="
}
],
"purl": "pkg:golang/github.com/onsi/[email protected]#v2",
"type": "library",
"version": "v2.9.2"
},
{
"bom-ref": "pkg:golang/github.com/release-engineering/[email protected]?package-id=b1aab99da74371f7#v2",
"cpe": "cpe:2.3:a:release-engineering:retrodep\\/v2:v2.1.0:*:*:*:*:*:*:*",
Expand Down
4 changes: 0 additions & 4 deletions sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_merge_cachi2_sboms.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,10 +53,6 @@ def test_merge_sboms(data_dir: Path) -> None:

purls_taken_from_syft_sbom = get_purls(expected_sbom) - get_purls(cachi2_sbom)
assert purls_taken_from_syft_sbom == {
"pkg:golang/github.com/cachito-testing/[email protected]#terminaltor",
"pkg:golang/github.com/cachito-testing/[email protected]#weird",
"pkg:golang/github.com/cachito-testing/[email protected]#v2",
"pkg:golang/github.com/onsi/[email protected]#v2",
"pkg:golang/github.com/release-engineering/[email protected]#v2",
"pkg:npm/eggs-packages/[email protected]",
"pkg:npm/spam-packages/[email protected]",
Expand Down

0 comments on commit 10b61d8

Please sign in to comment.