Skip to content

Commit

Permalink
merge_cachi2_sboms: handle npm local deps
Browse files Browse the repository at this point in the history 
Cachi2 puts the path in the purl subpath, syft puts it in the namespace
and name.

Signed-off-by: Adam Cmiel <[email protected]>
  • Loading branch information
@chmeliik
chmeliik committed Dec 18, 2024
1 parent 5cea883 commit 504d0c0
Show file tree
Hide file tree
Showing 3 changed files with 13 additions and 164 deletions.
13 changes: 13 additions & 0 deletions sbom-utility-scripts/scripts/merge-cachi2-sboms-script/merge_cachi2_sboms.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
import json
from argparse import ArgumentParser
from dataclasses import dataclass
from pathlib import Path
from typing import Any, Callable, Protocol, Sequence
from urllib.parse import quote_plus

Expand Down Expand Up @@ -153,18 +154,30 @@ def _get_syft_component_filter(cachi_sbom_components: Sequence[SBOMItem]) -> Cal
cachi2_non_registry_components = [
component.name() for component in cachi_sbom_components if _is_cachi2_non_registry_dependency(component)
]
cachi2_local_paths = {
Path(subpath) for component in cachi_sbom_components if (purl := component.purl()) and (subpath := purl.subpath)
}

cachi2_indexed_components = {_unique_key_cachi2(component): component for component in cachi_sbom_components}

def is_duplicate_non_registry_component(component: SBOMItem) -> bool:
return component.name() in cachi2_non_registry_components

def is_duplicate_npm_localpath_component(component: SBOMItem) -> bool:
purl = component.purl()
if not purl or purl.type != "npm":
return False
# instead of reporting path dependencies as pkg:npm/name@version?...#subpath,
# syft repots them as pkg:npm/subpath@version
return Path(purl.namespace or "", purl.name) in cachi2_local_paths

def component_is_duplicated(component: SBOMItem) -> bool:
key = _unique_key_syft(component)

return (
_is_syft_local_golang_component(component)
or is_duplicate_non_registry_component(component)
or is_duplicate_npm_localpath_component(component)
or key in cachi2_indexed_components.keys()
)

Expand Down
162 changes: 0 additions & 162 deletions sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_data/merged.bom.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -224,87 +224,6 @@
"type": "library",
"version": "8.32-36.el9"
},
{
"bom-ref": "pkg:npm/eggs-packages/[email protected]?package-id=af32220520b08aa3",
"cpe": "cpe:2.3:a:eggs-packages\\/eggs:eggs-packages\\/eggs:1.0.0:*:*:*:*:*:*:*",
"licenses": [
{
"license": {
"id": "ISC"
}
}
],
"name": "eggs-packages/eggs",
"properties": [
{
"name": "syft:package:foundBy",
"value": "sbom-cataloger"
},
{
"name": "syft:package:language",
"value": "javascript"
},
{
"name": "syft:package:type",
"value": "npm"
},
{
"name": "syft:package:metadataType",
"value": "javascript-npm-package-lock-entry"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:eggs-packages\\/eggs:eggs_packages\\/eggs:1.0.0:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:eggs_packages\\/eggs:eggs-packages\\/eggs:1.0.0:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:eggs_packages\\/eggs:eggs_packages\\/eggs:1.0.0:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:eggs:eggs-packages\\/eggs:1.0.0:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:eggs:eggs_packages\\/eggs:1.0.0:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:eggs-packages\\/eggs:eggs-packages\\/eggs:1.0.0:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:eggs-packages\\/eggs:eggs_packages\\/eggs:1.0.0:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:eggs_packages\\/eggs:eggs-packages\\/eggs:1.0.0:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:eggs_packages\\/eggs:eggs_packages\\/eggs:1.0.0:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:eggs:eggs-packages\\/eggs:1.0.0:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:eggs:eggs_packages\\/eggs:1.0.0:*:*:*:*:*:*:*"
},
{
"name": "syft:location:0:path",
"value": "/npm-cachi2-smoketest.bom.json"
}
],
"purl": "pkg:npm/eggs-packages/[email protected]",
"type": "library",
"version": "1.0.0"
},
{
"bom-ref": "pkg:rpm/rhel/[email protected]?arch=x86_64&upstream=filesystem-3.16-5.el9.src.rpm&distro=rhel-9.5&package-id=77424b7b1080bae1",
"cpe": "cpe:2.3:a:filesystem:filesystem:3.16-5.el9:*:*:*:*:*:*:*",
Expand Down Expand Up @@ -1757,87 +1676,6 @@
"type": "library",
"version": "2.13.7-10.el9"
},
{
"bom-ref": "pkg:npm/spam-packages/[email protected]?package-id=8ad0ba47106e9eca",
"cpe": "cpe:2.3:a:spam-packages\\/spam:spam-packages\\/spam:1.0.0:*:*:*:*:*:*:*",
"licenses": [
{
"license": {
"id": "ISC"
}
}
],
"name": "spam-packages/spam",
"properties": [
{
"name": "syft:package:foundBy",
"value": "sbom-cataloger"
},
{
"name": "syft:package:language",
"value": "javascript"
},
{
"name": "syft:package:type",
"value": "npm"
},
{
"name": "syft:package:metadataType",
"value": "javascript-npm-package-lock-entry"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:spam-packages\\/spam:spam_packages\\/spam:1.0.0:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:spam_packages\\/spam:spam-packages\\/spam:1.0.0:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:spam_packages\\/spam:spam_packages\\/spam:1.0.0:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:spam:spam-packages\\/spam:1.0.0:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:spam:spam_packages\\/spam:1.0.0:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:spam-packages\\/spam:spam-packages\\/spam:1.0.0:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:spam-packages\\/spam:spam_packages\\/spam:1.0.0:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:spam_packages\\/spam:spam-packages\\/spam:1.0.0:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:spam_packages\\/spam:spam_packages\\/spam:1.0.0:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:spam:spam-packages\\/spam:1.0.0:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:spam:spam_packages\\/spam:1.0.0:*:*:*:*:*:*:*"
},
{
"name": "syft:location:0:path",
"value": "/npm-cachi2-smoketest.bom.json"
}
],
"purl": "pkg:npm/spam-packages/[email protected]",
"type": "library",
"version": "1.0.0"
},
{
"bom-ref": "pkg:rpm/rhel/[email protected]?arch=noarch&upstream=tzdata-2024b-2.el9.src.rpm&distro=rhel-9.5&package-id=ef003e8e892d4bd5",
"cpe": "cpe:2.3:a:redhat:tzdata:2024b-2.el9:*:*:*:*:*:*:*",
Expand Down
2 changes: 0 additions & 2 deletions sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_merge_cachi2_sboms.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,8 +54,6 @@ def test_merge_sboms(data_dir: Path) -> None:
purls_taken_from_syft_sbom = get_purls(expected_sbom) - get_purls(cachi2_sbom)
assert sorted(purls_taken_from_syft_sbom) == [
"pkg:golang/github.com/release-engineering/[email protected]#v2",
"pkg:npm/eggs-packages/[email protected]",
"pkg:npm/spam-packages/[email protected]",
"pkg:rpm/rhel/[email protected]?arch=noarch&upstream=basesystem-11-13.el9.src.rpm&distro=rhel-9.5",
"pkg:rpm/rhel/[email protected]?arch=x86_64&upstream=bash-5.1.8-9.el9.src.rpm&distro=rhel-9.5",
"pkg:rpm/rhel/[email protected]?arch=x86_64&upstream=coreutils-8.32-36.el9.src.rpm&distro=rhel-9.5",
Expand Down

0 comments on commit 504d0c0

Please sign in to comment.