diff --git a/.github/workflows/semantic-pr.yaml b/.github/workflows/semantic-pr.yaml index 30e7e648e877..b3cde58e2243 100644 --- a/.github/workflows/semantic-pr.yaml +++ b/.github/workflows/semantic-pr.yaml @@ -74,6 +74,7 @@ jobs: elixir dart swift + bitnami os lang diff --git a/docs/docs/coverage/os/google-distroless.md b/docs/docs/coverage/os/google-distroless.md index cfe5dd3f4e28..ef5b3df917c7 100644 --- a/docs/docs/coverage/os/google-distroless.md +++ b/docs/docs/coverage/os/google-distroless.md @@ -1,4 +1,4 @@ -# Google Distroless +# Google Distroless Images Trivy supports the following scanners for OS packages. | Scanner | Supported | diff --git a/docs/docs/coverage/os/index.md b/docs/docs/coverage/os/index.md index 825f7ba1b359..55e303c48521 100644 --- a/docs/docs/coverage/os/index.md +++ b/docs/docs/coverage/os/index.md @@ -26,7 +26,13 @@ Trivy supports operating systems for | [Photon OS](photon.md) | 1.0, 2.0, 3.0, 4.0 | tndf/yum/rpm | | [Debian GNU/Linux](debian.md) | 7, 8, 9, 10, 11, 12 | apt/dpkg | | [Ubuntu](ubuntu.md) | All versions supported by Canonical | apt/dpkg | + +## Supported container images + +| Container image | Supported Versions | Package Managers | +|-----------------------------------------------|-------------------------------------|------------------| | [Google Distroless](google-distroless.md)[^2] | Any | apt/dpkg | +| [Bitnami](bitnami.md) | Any | - | Each page gives more details. diff --git a/go.mod b/go.mod index 5eb1ba400cfd..c5f123a3235e 100644 --- a/go.mod +++ b/go.mod @@ -23,7 +23,7 @@ require ( github.com/aquasecurity/table v1.8.0 github.com/aquasecurity/testdocker v0.0.0-20230111101738-e741bda259da github.com/aquasecurity/tml v0.6.1 - github.com/aquasecurity/trivy-db v0.0.0-20230828105148-2c9c4da5a321 + github.com/aquasecurity/trivy-db v0.0.0-20230831170347-f732860d4917 github.com/aquasecurity/trivy-java-db v0.0.0-20230209231723-7cddb1406728 github.com/aquasecurity/trivy-kubernetes v0.5.7-0.20230830063136-fe986af3f10f github.com/aws/aws-sdk-go v1.44.273 @@ -74,7 +74,7 @@ require ( github.com/opencontainers/image-spec v1.1.0-rc4 github.com/openvex/go-vex v0.2.5 github.com/owenrumney/go-sarif/v2 v2.2.0 - github.com/package-url/packageurl-go v0.1.1 + github.com/package-url/packageurl-go v0.1.2-0.20230812223828-f8bb31c1f10b github.com/samber/lo v1.38.1 github.com/saracen/walker v0.1.3 github.com/secure-systems-lab/go-securesystemslib v0.7.0 diff --git a/go.sum b/go.sum index e039362b2b46..2462c80c19e3 100644 --- a/go.sum +++ b/go.sum @@ -344,8 +344,8 @@ github.com/aquasecurity/testdocker v0.0.0-20230111101738-e741bda259da h1:pj/adfN github.com/aquasecurity/testdocker v0.0.0-20230111101738-e741bda259da/go.mod h1:852lbQLpK2nCwlR4ZLYIccxYCfoQao6q9Nl6tjz54v8= github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gwo= github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY= -github.com/aquasecurity/trivy-db v0.0.0-20230828105148-2c9c4da5a321 h1:oAXkM8x6jMal+6p2XB78+ntPs5LGjxZhtWHdOy4crlg= -github.com/aquasecurity/trivy-db v0.0.0-20230828105148-2c9c4da5a321/go.mod h1:WJ5Qnk5ZNGWvks07GOZe2IOsuXrPfSC5c8hYGOGfrsU= +github.com/aquasecurity/trivy-db v0.0.0-20230831170347-f732860d4917 h1:MQd7h7yUyA8UlUzhjNMzpUX0NpD7jfxmRfSKwp/Ji3E= +github.com/aquasecurity/trivy-db v0.0.0-20230831170347-f732860d4917/go.mod h1:WJ5Qnk5ZNGWvks07GOZe2IOsuXrPfSC5c8hYGOGfrsU= github.com/aquasecurity/trivy-java-db v0.0.0-20230209231723-7cddb1406728 h1:0eS+V7SXHgqoT99tV1mtMW6HL4HdoB9qGLMCb1fZp8A= github.com/aquasecurity/trivy-java-db v0.0.0-20230209231723-7cddb1406728/go.mod h1:Ldya37FLi0e/5Cjq2T5Bty7cFkzUDwTcPeQua+2M8i8= github.com/aquasecurity/trivy-kubernetes v0.5.7-0.20230830063136-fe986af3f10f h1:KOB3oGBjP+usI88PzDehhJ0AUWoKUCs7wBspcxBAF00= @@ -1459,8 +1459,8 @@ github.com/owenrumney/go-sarif/v2 v2.2.0 h1:1DmZaijK0HBZCR1fgcDSGa7VzYkU9NDmbZ7q github.com/owenrumney/go-sarif/v2 v2.2.0/go.mod h1:MSqMMx9WqlBSY7pXoOZWgEsVB4FDNfhcaXDA1j6Sr+w= github.com/owenrumney/squealer v1.1.1 h1:e+fg29IxdNARSc4s7CbYnqVSepm9eOqErLNNNR5XbAs= github.com/owenrumney/squealer v1.1.1/go.mod h1:Q5ekVoyFSG2FlnCVIBGsyk/FSMA/ATv8PtwKIVX7t/o= -github.com/package-url/packageurl-go v0.1.1 h1:KTRE0bK3sKbFKAk3yy63DpeskU7Cvs/x/Da5l+RtzyU= -github.com/package-url/packageurl-go v0.1.1/go.mod h1:uQd4a7Rh3ZsVg5j0lNyAfyxIeGde9yrlhjF78GzeW0c= +github.com/package-url/packageurl-go v0.1.2-0.20230812223828-f8bb31c1f10b h1:mUXbYcE4/ZAh9uto21SUH+FL/RGmD0OGYci9JX66jDc= +github.com/package-url/packageurl-go v0.1.2-0.20230812223828-f8bb31c1f10b/go.mod h1:uQd4a7Rh3ZsVg5j0lNyAfyxIeGde9yrlhjF78GzeW0c= github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= github.com/pelletier/go-toml v1.7.0/go.mod h1:vwGMzjaWMwyfHwgIBhI2YUM4fB6nL6lVAvS1LBMMhTE= diff --git a/integration/testdata/fluentd-multiple-lockfiles.cdx.json.golden b/integration/testdata/fluentd-multiple-lockfiles.cdx.json.golden index c13bc3127c0b..ff77b1c8482f 100644 --- a/integration/testdata/fluentd-multiple-lockfiles.cdx.json.golden +++ b/integration/testdata/fluentd-multiple-lockfiles.cdx.json.golden @@ -117,11 +117,11 @@ ] }, { - "bom-ref": "pkg:deb/debian/base-files@10.3+deb10u2?arch=amd64\u0026distro=debian-10.2", + "bom-ref": "pkg:deb/debian/base-files@10.3%2Bdeb10u2?arch=amd64\u0026distro=debian-10.2", "type": "library", "name": "base-files", "version": "10.3+deb10u2", - "purl": "pkg:deb/debian/base-files@10.3+deb10u2?arch=amd64\u0026distro=debian-10.2", + "purl": "pkg:deb/debian/base-files@10.3%2Bdeb10u2?arch=amd64\u0026distro=debian-10.2", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", @@ -220,11 +220,11 @@ ] }, { - "bom-ref": "pkg:deb/debian/bsdutils@2.33.1-0.1?arch=amd64\u0026epoch=1\u0026distro=debian-10.2", + "bom-ref": "pkg:deb/debian/bsdutils@2.33.1-0.1?arch=amd64\u0026distro=debian-10.2\u0026epoch=1", "type": "library", "name": "bsdutils", "version": "2.33.1-0.1", - "purl": "pkg:deb/debian/bsdutils@2.33.1-0.1?arch=amd64\u0026epoch=1\u0026distro=debian-10.2", + "purl": "pkg:deb/debian/bsdutils@2.33.1-0.1?arch=amd64\u0026distro=debian-10.2\u0026epoch=1", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", @@ -463,11 +463,11 @@ ] }, { - "bom-ref": "pkg:deb/debian/diffutils@3.7-3?arch=amd64\u0026epoch=1\u0026distro=debian-10.2", + "bom-ref": "pkg:deb/debian/diffutils@3.7-3?arch=amd64\u0026distro=debian-10.2\u0026epoch=1", "type": "library", "name": "diffutils", "version": "3.7-3", - "purl": "pkg:deb/debian/diffutils@3.7-3?arch=amd64\u0026epoch=1\u0026distro=debian-10.2", + "purl": "pkg:deb/debian/diffutils@3.7-3?arch=amd64\u0026distro=debian-10.2\u0026epoch=1", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", @@ -537,11 +537,11 @@ ] }, { - "bom-ref": "pkg:deb/debian/e2fsprogs@1.44.5-1+deb10u2?arch=amd64\u0026distro=debian-10.2", + "bom-ref": "pkg:deb/debian/e2fsprogs@1.44.5-1%2Bdeb10u2?arch=amd64\u0026distro=debian-10.2", "type": "library", "name": "e2fsprogs", "version": "1.44.5-1+deb10u2", - "purl": "pkg:deb/debian/e2fsprogs@1.44.5-1+deb10u2?arch=amd64\u0026distro=debian-10.2", + "purl": "pkg:deb/debian/e2fsprogs@1.44.5-1%2Bdeb10u2?arch=amd64\u0026distro=debian-10.2", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", @@ -611,11 +611,11 @@ ] }, { - "bom-ref": "pkg:deb/debian/findutils@4.6.0+git+20190209-2?arch=amd64\u0026distro=debian-10.2", + "bom-ref": "pkg:deb/debian/findutils@4.6.0%2Bgit%2B20190209-2?arch=amd64\u0026distro=debian-10.2", "type": "library", "name": "findutils", "version": "4.6.0+git+20190209-2", - "purl": "pkg:deb/debian/findutils@4.6.0+git+20190209-2?arch=amd64\u0026distro=debian-10.2", + "purl": "pkg:deb/debian/findutils@4.6.0%2Bgit%2B20190209-2?arch=amd64\u0026distro=debian-10.2", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", @@ -685,11 +685,11 @@ ] }, { - "bom-ref": "pkg:deb/debian/gpgv@2.2.12-1+deb10u1?arch=amd64\u0026distro=debian-10.2", + "bom-ref": "pkg:deb/debian/gpgv@2.2.12-1%2Bdeb10u1?arch=amd64\u0026distro=debian-10.2", "type": "library", "name": "gpgv", "version": "2.2.12-1+deb10u1", - "purl": "pkg:deb/debian/gpgv@2.2.12-1+deb10u1?arch=amd64\u0026distro=debian-10.2", + "purl": "pkg:deb/debian/gpgv@2.2.12-1%2Bdeb10u1?arch=amd64\u0026distro=debian-10.2", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", @@ -829,11 +829,11 @@ ] }, { - "bom-ref": "pkg:deb/debian/init-system-helpers@1.56+nmu1?arch=all\u0026distro=debian-10.2", + "bom-ref": "pkg:deb/debian/init-system-helpers@1.56%2Bnmu1?arch=all\u0026distro=debian-10.2", "type": "library", "name": "init-system-helpers", "version": "1.56+nmu1", - "purl": "pkg:deb/debian/init-system-helpers@1.56+nmu1?arch=all\u0026distro=debian-10.2", + "purl": "pkg:deb/debian/init-system-helpers@1.56%2Bnmu1?arch=all\u0026distro=debian-10.2", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", @@ -932,11 +932,11 @@ ] }, { - "bom-ref": "pkg:deb/debian/libattr1@2.4.48-4?arch=amd64\u0026epoch=1\u0026distro=debian-10.2", + "bom-ref": "pkg:deb/debian/libattr1@2.4.48-4?arch=amd64\u0026distro=debian-10.2\u0026epoch=1", "type": "library", "name": "libattr1", "version": "2.4.48-4", - "purl": "pkg:deb/debian/libattr1@2.4.48-4?arch=amd64\u0026epoch=1\u0026distro=debian-10.2", + "purl": "pkg:deb/debian/libattr1@2.4.48-4?arch=amd64\u0026distro=debian-10.2\u0026epoch=1", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", @@ -973,11 +973,11 @@ ] }, { - "bom-ref": "pkg:deb/debian/libaudit-common@2.8.4-3?arch=all\u0026epoch=1\u0026distro=debian-10.2", + "bom-ref": "pkg:deb/debian/libaudit-common@2.8.4-3?arch=all\u0026distro=debian-10.2\u0026epoch=1", "type": "library", "name": "libaudit-common", "version": "2.8.4-3", - "purl": "pkg:deb/debian/libaudit-common@2.8.4-3?arch=all\u0026epoch=1\u0026distro=debian-10.2", + "purl": "pkg:deb/debian/libaudit-common@2.8.4-3?arch=all\u0026distro=debian-10.2\u0026epoch=1", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", @@ -1014,11 +1014,11 @@ ] }, { - "bom-ref": "pkg:deb/debian/libaudit1@2.8.4-3?arch=amd64\u0026epoch=1\u0026distro=debian-10.2", + "bom-ref": "pkg:deb/debian/libaudit1@2.8.4-3?arch=amd64\u0026distro=debian-10.2\u0026epoch=1", "type": "library", "name": "libaudit1", "version": "2.8.4-3", - "purl": "pkg:deb/debian/libaudit1@2.8.4-3?arch=amd64\u0026epoch=1\u0026distro=debian-10.2", + "purl": "pkg:deb/debian/libaudit1@2.8.4-3?arch=amd64\u0026distro=debian-10.2\u0026epoch=1", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", @@ -1240,11 +1240,11 @@ ] }, { - "bom-ref": "pkg:deb/debian/libcom-err2@1.44.5-1+deb10u2?arch=amd64\u0026distro=debian-10.2", + "bom-ref": "pkg:deb/debian/libcom-err2@1.44.5-1%2Bdeb10u2?arch=amd64\u0026distro=debian-10.2", "type": "library", "name": "libcom-err2", "version": "1.44.5-1+deb10u2", - "purl": "pkg:deb/debian/libcom-err2@1.44.5-1+deb10u2?arch=amd64\u0026distro=debian-10.2", + "purl": "pkg:deb/debian/libcom-err2@1.44.5-1%2Bdeb10u2?arch=amd64\u0026distro=debian-10.2", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", @@ -1277,11 +1277,11 @@ ] }, { - "bom-ref": "pkg:deb/debian/libdb5.3@5.3.28+dfsg1-0.5?arch=amd64\u0026distro=debian-10.2", + "bom-ref": "pkg:deb/debian/libdb5.3@5.3.28%2Bdfsg1-0.5?arch=amd64\u0026distro=debian-10.2", "type": "library", "name": "libdb5.3", "version": "5.3.28+dfsg1-0.5", - "purl": "pkg:deb/debian/libdb5.3@5.3.28+dfsg1-0.5?arch=amd64\u0026distro=debian-10.2", + "purl": "pkg:deb/debian/libdb5.3@5.3.28%2Bdfsg1-0.5?arch=amd64\u0026distro=debian-10.2", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", @@ -1347,11 +1347,11 @@ ] }, { - "bom-ref": "pkg:deb/debian/libext2fs2@1.44.5-1+deb10u2?arch=amd64\u0026distro=debian-10.2", + "bom-ref": "pkg:deb/debian/libext2fs2@1.44.5-1%2Bdeb10u2?arch=amd64\u0026distro=debian-10.2", "type": "library", "name": "libext2fs2", "version": "1.44.5-1+deb10u2", - "purl": "pkg:deb/debian/libext2fs2@1.44.5-1+deb10u2?arch=amd64\u0026distro=debian-10.2", + "purl": "pkg:deb/debian/libext2fs2@1.44.5-1%2Bdeb10u2?arch=amd64\u0026distro=debian-10.2", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", @@ -1458,11 +1458,11 @@ ] }, { - "bom-ref": "pkg:deb/debian/libgcc1@8.3.0-6?arch=amd64\u0026epoch=1\u0026distro=debian-10.2", + "bom-ref": "pkg:deb/debian/libgcc1@8.3.0-6?arch=amd64\u0026distro=debian-10.2\u0026epoch=1", "type": "library", "name": "libgcc1", "version": "8.3.0-6", - "purl": "pkg:deb/debian/libgcc1@8.3.0-6?arch=amd64\u0026epoch=1\u0026distro=debian-10.2", + "purl": "pkg:deb/debian/libgcc1@8.3.0-6?arch=amd64\u0026distro=debian-10.2\u0026epoch=1", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", @@ -1606,11 +1606,11 @@ ] }, { - "bom-ref": "pkg:deb/debian/libgmp10@6.1.2+dfsg-4?arch=amd64\u0026epoch=2\u0026distro=debian-10.2", + "bom-ref": "pkg:deb/debian/libgmp10@6.1.2%2Bdfsg-4?arch=amd64\u0026distro=debian-10.2\u0026epoch=2", "type": "library", "name": "libgmp10", "version": "6.1.2+dfsg-4", - "purl": "pkg:deb/debian/libgmp10@6.1.2+dfsg-4?arch=amd64\u0026epoch=2\u0026distro=debian-10.2", + "purl": "pkg:deb/debian/libgmp10@6.1.2%2Bdfsg-4?arch=amd64\u0026distro=debian-10.2\u0026epoch=2", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", @@ -1943,11 +1943,11 @@ ] }, { - "bom-ref": "pkg:deb/debian/libncurses6@6.1+20181013-2+deb10u2?arch=amd64\u0026distro=debian-10.2", + "bom-ref": "pkg:deb/debian/libncurses6@6.1%2B20181013-2%2Bdeb10u2?arch=amd64\u0026distro=debian-10.2", "type": "library", "name": "libncurses6", "version": "6.1+20181013-2+deb10u2", - "purl": "pkg:deb/debian/libncurses6@6.1+20181013-2+deb10u2?arch=amd64\u0026distro=debian-10.2", + "purl": "pkg:deb/debian/libncurses6@6.1%2B20181013-2%2Bdeb10u2?arch=amd64\u0026distro=debian-10.2", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", @@ -1980,11 +1980,11 @@ ] }, { - "bom-ref": "pkg:deb/debian/libncursesw6@6.1+20181013-2+deb10u2?arch=amd64\u0026distro=debian-10.2", + "bom-ref": "pkg:deb/debian/libncursesw6@6.1%2B20181013-2%2Bdeb10u2?arch=amd64\u0026distro=debian-10.2", "type": "library", "name": "libncursesw6", "version": "6.1+20181013-2+deb10u2", - "purl": "pkg:deb/debian/libncursesw6@6.1+20181013-2+deb10u2?arch=amd64\u0026distro=debian-10.2", + "purl": "pkg:deb/debian/libncursesw6@6.1%2B20181013-2%2Bdeb10u2?arch=amd64\u0026distro=debian-10.2", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", @@ -2239,11 +2239,11 @@ ] }, { - "bom-ref": "pkg:deb/debian/libpcre3@8.39-12?arch=amd64\u0026epoch=2\u0026distro=debian-10.2", + "bom-ref": "pkg:deb/debian/libpcre3@8.39-12?arch=amd64\u0026distro=debian-10.2\u0026epoch=2", "type": "library", "name": "libpcre3", "version": "8.39-12", - "purl": "pkg:deb/debian/libpcre3@8.39-12?arch=amd64\u0026epoch=2\u0026distro=debian-10.2", + "purl": "pkg:deb/debian/libpcre3@8.39-12?arch=amd64\u0026distro=debian-10.2\u0026epoch=2", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", @@ -2317,11 +2317,11 @@ ] }, { - "bom-ref": "pkg:deb/debian/libruby2.5@2.5.5-3+deb10u1?arch=amd64\u0026distro=debian-10.2", + "bom-ref": "pkg:deb/debian/libruby2.5@2.5.5-3%2Bdeb10u1?arch=amd64\u0026distro=debian-10.2", "type": "library", "name": "libruby2.5", "version": "2.5.5-3+deb10u1", - "purl": "pkg:deb/debian/libruby2.5@2.5.5-3+deb10u1?arch=amd64\u0026distro=debian-10.2", + "purl": "pkg:deb/debian/libruby2.5@2.5.5-3%2Bdeb10u1?arch=amd64\u0026distro=debian-10.2", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", @@ -2391,11 +2391,11 @@ ] }, { - "bom-ref": "pkg:deb/debian/libselinux1@2.8-1+b1?arch=amd64\u0026distro=debian-10.2", + "bom-ref": "pkg:deb/debian/libselinux1@2.8-1%2Bb1?arch=amd64\u0026distro=debian-10.2", "type": "library", "name": "libselinux1", "version": "2.8-1+b1", - "purl": "pkg:deb/debian/libselinux1@2.8-1+b1?arch=amd64\u0026distro=debian-10.2", + "purl": "pkg:deb/debian/libselinux1@2.8-1%2Bb1?arch=amd64\u0026distro=debian-10.2", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", @@ -2576,11 +2576,11 @@ ] }, { - "bom-ref": "pkg:deb/debian/libss2@1.44.5-1+deb10u2?arch=amd64\u0026distro=debian-10.2", + "bom-ref": "pkg:deb/debian/libss2@1.44.5-1%2Bdeb10u2?arch=amd64\u0026distro=debian-10.2", "type": "library", "name": "libss2", "version": "1.44.5-1+deb10u2", - "purl": "pkg:deb/debian/libss2@1.44.5-1+deb10u2?arch=amd64\u0026distro=debian-10.2", + "purl": "pkg:deb/debian/libss2@1.44.5-1%2Bdeb10u2?arch=amd64\u0026distro=debian-10.2", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", @@ -2613,11 +2613,11 @@ ] }, { - "bom-ref": "pkg:deb/debian/libssl1.1@1.1.1d-0+deb10u2?arch=amd64\u0026distro=debian-10.2", + "bom-ref": "pkg:deb/debian/libssl1.1@1.1.1d-0%2Bdeb10u2?arch=amd64\u0026distro=debian-10.2", "type": "library", "name": "libssl1.1", "version": "1.1.1d-0+deb10u2", - "purl": "pkg:deb/debian/libssl1.1@1.1.1d-0+deb10u2?arch=amd64\u0026distro=debian-10.2", + "purl": "pkg:deb/debian/libssl1.1@1.1.1d-0%2Bdeb10u2?arch=amd64\u0026distro=debian-10.2", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", @@ -2761,11 +2761,11 @@ ] }, { - "bom-ref": "pkg:deb/debian/libtinfo6@6.1+20181013-2+deb10u2?arch=amd64\u0026distro=debian-10.2", + "bom-ref": "pkg:deb/debian/libtinfo6@6.1%2B20181013-2%2Bdeb10u2?arch=amd64\u0026distro=debian-10.2", "type": "library", "name": "libtinfo6", "version": "6.1+20181013-2+deb10u2", - "purl": "pkg:deb/debian/libtinfo6@6.1+20181013-2+deb10u2?arch=amd64\u0026distro=debian-10.2", + "purl": "pkg:deb/debian/libtinfo6@6.1%2B20181013-2%2Bdeb10u2?arch=amd64\u0026distro=debian-10.2", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", @@ -2946,11 +2946,11 @@ ] }, { - "bom-ref": "pkg:deb/debian/libzstd1@1.3.8+dfsg-3?arch=amd64\u0026distro=debian-10.2", + "bom-ref": "pkg:deb/debian/libzstd1@1.3.8%2Bdfsg-3?arch=amd64\u0026distro=debian-10.2", "type": "library", "name": "libzstd1", "version": "1.3.8+dfsg-3", - "purl": "pkg:deb/debian/libzstd1@1.3.8+dfsg-3?arch=amd64\u0026distro=debian-10.2", + "purl": "pkg:deb/debian/libzstd1@1.3.8%2Bdfsg-3?arch=amd64\u0026distro=debian-10.2", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", @@ -2983,11 +2983,11 @@ ] }, { - "bom-ref": "pkg:deb/debian/login@4.5-1.1?arch=amd64\u0026epoch=1\u0026distro=debian-10.2", + "bom-ref": "pkg:deb/debian/login@4.5-1.1?arch=amd64\u0026distro=debian-10.2\u0026epoch=1", "type": "library", "name": "login", "version": "4.5-1.1", - "purl": "pkg:deb/debian/login@4.5-1.1?arch=amd64\u0026epoch=1\u0026distro=debian-10.2", + "purl": "pkg:deb/debian/login@4.5-1.1?arch=amd64\u0026distro=debian-10.2\u0026epoch=1", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", @@ -3024,11 +3024,11 @@ ] }, { - "bom-ref": "pkg:deb/debian/mawk@1.3.3-17+b3?arch=amd64\u0026distro=debian-10.2", + "bom-ref": "pkg:deb/debian/mawk@1.3.3-17%2Bb3?arch=amd64\u0026distro=debian-10.2", "type": "library", "name": "mawk", "version": "1.3.3-17+b3", - "purl": "pkg:deb/debian/mawk@1.3.3-17+b3?arch=amd64\u0026distro=debian-10.2", + "purl": "pkg:deb/debian/mawk@1.3.3-17%2Bb3?arch=amd64\u0026distro=debian-10.2", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", @@ -3098,11 +3098,11 @@ ] }, { - "bom-ref": "pkg:deb/debian/ncurses-base@6.1+20181013-2+deb10u2?arch=all\u0026distro=debian-10.2", + "bom-ref": "pkg:deb/debian/ncurses-base@6.1%2B20181013-2%2Bdeb10u2?arch=all\u0026distro=debian-10.2", "type": "library", "name": "ncurses-base", "version": "6.1+20181013-2+deb10u2", - "purl": "pkg:deb/debian/ncurses-base@6.1+20181013-2+deb10u2?arch=all\u0026distro=debian-10.2", + "purl": "pkg:deb/debian/ncurses-base@6.1%2B20181013-2%2Bdeb10u2?arch=all\u0026distro=debian-10.2", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", @@ -3135,11 +3135,11 @@ ] }, { - "bom-ref": "pkg:deb/debian/ncurses-bin@6.1+20181013-2+deb10u2?arch=amd64\u0026distro=debian-10.2", + "bom-ref": "pkg:deb/debian/ncurses-bin@6.1%2B20181013-2%2Bdeb10u2?arch=amd64\u0026distro=debian-10.2", "type": "library", "name": "ncurses-bin", "version": "6.1+20181013-2+deb10u2", - "purl": "pkg:deb/debian/ncurses-bin@6.1+20181013-2+deb10u2?arch=amd64\u0026distro=debian-10.2", + "purl": "pkg:deb/debian/ncurses-bin@6.1%2B20181013-2%2Bdeb10u2?arch=amd64\u0026distro=debian-10.2", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", @@ -3172,11 +3172,11 @@ ] }, { - "bom-ref": "pkg:deb/debian/openssl@1.1.1d-0+deb10u2?arch=amd64\u0026distro=debian-10.2", + "bom-ref": "pkg:deb/debian/openssl@1.1.1d-0%2Bdeb10u2?arch=amd64\u0026distro=debian-10.2", "type": "library", "name": "openssl", "version": "1.1.1d-0+deb10u2", - "purl": "pkg:deb/debian/openssl@1.1.1d-0+deb10u2?arch=amd64\u0026distro=debian-10.2", + "purl": "pkg:deb/debian/openssl@1.1.1d-0%2Bdeb10u2?arch=amd64\u0026distro=debian-10.2", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", @@ -3209,11 +3209,11 @@ ] }, { - "bom-ref": "pkg:deb/debian/passwd@4.5-1.1?arch=amd64\u0026epoch=1\u0026distro=debian-10.2", + "bom-ref": "pkg:deb/debian/passwd@4.5-1.1?arch=amd64\u0026distro=debian-10.2\u0026epoch=1", "type": "library", "name": "passwd", "version": "4.5-1.1", - "purl": "pkg:deb/debian/passwd@4.5-1.1?arch=amd64\u0026epoch=1\u0026distro=debian-10.2", + "purl": "pkg:deb/debian/passwd@4.5-1.1?arch=amd64\u0026distro=debian-10.2\u0026epoch=1", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", @@ -3583,11 +3583,11 @@ ] }, { - "bom-ref": "pkg:deb/debian/ruby2.5@2.5.5-3+deb10u1?arch=amd64\u0026distro=debian-10.2", + "bom-ref": "pkg:deb/debian/ruby2.5@2.5.5-3%2Bdeb10u1?arch=amd64\u0026distro=debian-10.2", "type": "library", "name": "ruby2.5", "version": "2.5.5-3+deb10u1", - "purl": "pkg:deb/debian/ruby2.5@2.5.5-3+deb10u1?arch=amd64\u0026distro=debian-10.2", + "purl": "pkg:deb/debian/ruby2.5@2.5.5-3%2Bdeb10u1?arch=amd64\u0026distro=debian-10.2", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", @@ -3620,11 +3620,11 @@ ] }, { - "bom-ref": "pkg:deb/debian/ruby@2.5.1?arch=amd64\u0026epoch=1\u0026distro=debian-10.2", + "bom-ref": "pkg:deb/debian/ruby@2.5.1?arch=amd64\u0026distro=debian-10.2\u0026epoch=1", "type": "library", "name": "ruby", "version": "2.5.1", - "purl": "pkg:deb/debian/ruby@2.5.1?arch=amd64\u0026epoch=1\u0026distro=debian-10.2", + "purl": "pkg:deb/debian/ruby@2.5.1?arch=amd64\u0026distro=debian-10.2\u0026epoch=1", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", @@ -3764,11 +3764,11 @@ ] }, { - "bom-ref": "pkg:deb/debian/tar@1.30+dfsg-6?arch=amd64\u0026distro=debian-10.2", + "bom-ref": "pkg:deb/debian/tar@1.30%2Bdfsg-6?arch=amd64\u0026distro=debian-10.2", "type": "library", "name": "tar", "version": "1.30+dfsg-6", - "purl": "pkg:deb/debian/tar@1.30+dfsg-6?arch=amd64\u0026distro=debian-10.2", + "purl": "pkg:deb/debian/tar@1.30%2Bdfsg-6?arch=amd64\u0026distro=debian-10.2", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", @@ -3801,11 +3801,11 @@ ] }, { - "bom-ref": "pkg:deb/debian/tzdata@2019c-0+deb10u1?arch=all\u0026distro=debian-10.2", + "bom-ref": "pkg:deb/debian/tzdata@2019c-0%2Bdeb10u1?arch=all\u0026distro=debian-10.2", "type": "library", "name": "tzdata", "version": "2019c-0+deb10u1", - "purl": "pkg:deb/debian/tzdata@2019c-0+deb10u1?arch=all\u0026distro=debian-10.2", + "purl": "pkg:deb/debian/tzdata@2019c-0%2Bdeb10u1?arch=all\u0026distro=debian-10.2", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", @@ -3875,11 +3875,11 @@ ] }, { - "bom-ref": "pkg:deb/debian/zlib1g@1.2.11.dfsg-1?arch=amd64\u0026epoch=1\u0026distro=debian-10.2", + "bom-ref": "pkg:deb/debian/zlib1g@1.2.11.dfsg-1?arch=amd64\u0026distro=debian-10.2\u0026epoch=1", "type": "library", "name": "zlib1g", "version": "1.2.11.dfsg-1", - "purl": "pkg:deb/debian/zlib1g@1.2.11.dfsg-1?arch=amd64\u0026epoch=1\u0026distro=debian-10.2", + "purl": "pkg:deb/debian/zlib1g@1.2.11.dfsg-1?arch=amd64\u0026distro=debian-10.2\u0026epoch=1", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", @@ -5739,48 +5739,48 @@ "dependsOn": [ "pkg:deb/debian/adduser@3.118?arch=all\u0026distro=debian-10.2", "pkg:deb/debian/apt@1.8.2?arch=amd64\u0026distro=debian-10.2", - "pkg:deb/debian/base-files@10.3+deb10u2?arch=amd64\u0026distro=debian-10.2", + "pkg:deb/debian/base-files@10.3%2Bdeb10u2?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/base-passwd@3.5.46?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/bash@5.0-4?arch=amd64\u0026distro=debian-10.2", - "pkg:deb/debian/bsdutils@2.33.1-0.1?arch=amd64\u0026epoch=1\u0026distro=debian-10.2", + "pkg:deb/debian/bsdutils@2.33.1-0.1?arch=amd64\u0026distro=debian-10.2\u0026epoch=1", "pkg:deb/debian/ca-certificates@20190110?arch=all\u0026distro=debian-10.2", "pkg:deb/debian/coreutils@8.30-3?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/dash@0.5.10.2-5?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/debconf@1.5.71?arch=all\u0026distro=debian-10.2", "pkg:deb/debian/debian-archive-keyring@2019.1?arch=all\u0026distro=debian-10.2", "pkg:deb/debian/debianutils@4.8.6.1?arch=amd64\u0026distro=debian-10.2", - "pkg:deb/debian/diffutils@3.7-3?arch=amd64\u0026epoch=1\u0026distro=debian-10.2", + "pkg:deb/debian/diffutils@3.7-3?arch=amd64\u0026distro=debian-10.2\u0026epoch=1", "pkg:deb/debian/dpkg@1.19.7?arch=amd64\u0026distro=debian-10.2", - "pkg:deb/debian/e2fsprogs@1.44.5-1+deb10u2?arch=amd64\u0026distro=debian-10.2", + "pkg:deb/debian/e2fsprogs@1.44.5-1%2Bdeb10u2?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/fdisk@2.33.1-0.1?arch=amd64\u0026distro=debian-10.2", - "pkg:deb/debian/findutils@4.6.0+git+20190209-2?arch=amd64\u0026distro=debian-10.2", + "pkg:deb/debian/findutils@4.6.0%2Bgit%2B20190209-2?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/gcc-8-base@8.3.0-6?arch=amd64\u0026distro=debian-10.2", - "pkg:deb/debian/gpgv@2.2.12-1+deb10u1?arch=amd64\u0026distro=debian-10.2", + "pkg:deb/debian/gpgv@2.2.12-1%2Bdeb10u1?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/grep@3.3-1?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/gzip@1.9-3?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/hostname@3.21?arch=amd64\u0026distro=debian-10.2", - "pkg:deb/debian/init-system-helpers@1.56+nmu1?arch=all\u0026distro=debian-10.2", + "pkg:deb/debian/init-system-helpers@1.56%2Bnmu1?arch=all\u0026distro=debian-10.2", "pkg:deb/debian/libacl1@2.2.53-4?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libapt-pkg5.0@1.8.2?arch=amd64\u0026distro=debian-10.2", - "pkg:deb/debian/libattr1@2.4.48-4?arch=amd64\u0026epoch=1\u0026distro=debian-10.2", - "pkg:deb/debian/libaudit-common@2.8.4-3?arch=all\u0026epoch=1\u0026distro=debian-10.2", - "pkg:deb/debian/libaudit1@2.8.4-3?arch=amd64\u0026epoch=1\u0026distro=debian-10.2", + "pkg:deb/debian/libattr1@2.4.48-4?arch=amd64\u0026distro=debian-10.2\u0026epoch=1", + "pkg:deb/debian/libaudit-common@2.8.4-3?arch=all\u0026distro=debian-10.2\u0026epoch=1", + "pkg:deb/debian/libaudit1@2.8.4-3?arch=amd64\u0026distro=debian-10.2\u0026epoch=1", "pkg:deb/debian/libblkid1@2.33.1-0.1?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libbz2-1.0@1.0.6-9.2~deb10u1?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libc-bin@2.28-10?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libc6@2.28-10?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libcap-ng0@0.7.9-2?arch=amd64\u0026distro=debian-10.2", - "pkg:deb/debian/libcom-err2@1.44.5-1+deb10u2?arch=amd64\u0026distro=debian-10.2", - "pkg:deb/debian/libdb5.3@5.3.28+dfsg1-0.5?arch=amd64\u0026distro=debian-10.2", + "pkg:deb/debian/libcom-err2@1.44.5-1%2Bdeb10u2?arch=amd64\u0026distro=debian-10.2", + "pkg:deb/debian/libdb5.3@5.3.28%2Bdfsg1-0.5?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libdebconfclient0@0.249?arch=amd64\u0026distro=debian-10.2", - "pkg:deb/debian/libext2fs2@1.44.5-1+deb10u2?arch=amd64\u0026distro=debian-10.2", + "pkg:deb/debian/libext2fs2@1.44.5-1%2Bdeb10u2?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libfdisk1@2.33.1-0.1?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libffi6@3.2.1-9?arch=amd64\u0026distro=debian-10.2", - "pkg:deb/debian/libgcc1@8.3.0-6?arch=amd64\u0026epoch=1\u0026distro=debian-10.2", + "pkg:deb/debian/libgcc1@8.3.0-6?arch=amd64\u0026distro=debian-10.2\u0026epoch=1", "pkg:deb/debian/libgcrypt20@1.8.4-5?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libgdbm-compat4@1.18.1-4?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libgdbm6@1.18.1-4?arch=amd64\u0026distro=debian-10.2", - "pkg:deb/debian/libgmp10@6.1.2+dfsg-4?arch=amd64\u0026epoch=2\u0026distro=debian-10.2", + "pkg:deb/debian/libgmp10@6.1.2%2Bdfsg-4?arch=amd64\u0026distro=debian-10.2\u0026epoch=2", "pkg:deb/debian/libgnutls30@3.6.7-4?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libgpg-error0@1.35-1?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libhogweed4@3.4.1-1?arch=amd64\u0026distro=debian-10.2", @@ -5789,41 +5789,41 @@ "pkg:deb/debian/liblz4-1@1.8.3-1?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/liblzma5@5.2.4-1?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libmount1@2.33.1-0.1?arch=amd64\u0026distro=debian-10.2", - "pkg:deb/debian/libncurses6@6.1+20181013-2+deb10u2?arch=amd64\u0026distro=debian-10.2", - "pkg:deb/debian/libncursesw6@6.1+20181013-2+deb10u2?arch=amd64\u0026distro=debian-10.2", + "pkg:deb/debian/libncurses6@6.1%2B20181013-2%2Bdeb10u2?arch=amd64\u0026distro=debian-10.2", + "pkg:deb/debian/libncursesw6@6.1%2B20181013-2%2Bdeb10u2?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libnettle6@3.4.1-1?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libp11-kit0@0.23.15-2?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libpam-modules-bin@1.3.1-5?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libpam-modules@1.3.1-5?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libpam-runtime@1.3.1-5?arch=all\u0026distro=debian-10.2", "pkg:deb/debian/libpam0g@1.3.1-5?arch=amd64\u0026distro=debian-10.2", - "pkg:deb/debian/libpcre3@8.39-12?arch=amd64\u0026epoch=2\u0026distro=debian-10.2", + "pkg:deb/debian/libpcre3@8.39-12?arch=amd64\u0026distro=debian-10.2\u0026epoch=2", "pkg:deb/debian/libreadline7@7.0-5?arch=amd64\u0026distro=debian-10.2", - "pkg:deb/debian/libruby2.5@2.5.5-3+deb10u1?arch=amd64\u0026distro=debian-10.2", + "pkg:deb/debian/libruby2.5@2.5.5-3%2Bdeb10u1?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libseccomp2@2.3.3-4?arch=amd64\u0026distro=debian-10.2", - "pkg:deb/debian/libselinux1@2.8-1+b1?arch=amd64\u0026distro=debian-10.2", + "pkg:deb/debian/libselinux1@2.8-1%2Bb1?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libsemanage-common@2.8-2?arch=all\u0026distro=debian-10.2", "pkg:deb/debian/libsemanage1@2.8-2?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libsepol1@2.8-1?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libsmartcols1@2.33.1-0.1?arch=amd64\u0026distro=debian-10.2", - "pkg:deb/debian/libss2@1.44.5-1+deb10u2?arch=amd64\u0026distro=debian-10.2", - "pkg:deb/debian/libssl1.1@1.1.1d-0+deb10u2?arch=amd64\u0026distro=debian-10.2", + "pkg:deb/debian/libss2@1.44.5-1%2Bdeb10u2?arch=amd64\u0026distro=debian-10.2", + "pkg:deb/debian/libssl1.1@1.1.1d-0%2Bdeb10u2?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libstdc%2B%2B6@8.3.0-6?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libsystemd0@241-7~deb10u2?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libtasn1-6@4.13-3?arch=amd64\u0026distro=debian-10.2", - "pkg:deb/debian/libtinfo6@6.1+20181013-2+deb10u2?arch=amd64\u0026distro=debian-10.2", + "pkg:deb/debian/libtinfo6@6.1%2B20181013-2%2Bdeb10u2?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libudev1@241-7~deb10u2?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libunistring2@0.9.10-1?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libuuid1@2.33.1-0.1?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libyaml-0-2@0.2.1-1?arch=amd64\u0026distro=debian-10.2", - "pkg:deb/debian/libzstd1@1.3.8+dfsg-3?arch=amd64\u0026distro=debian-10.2", - "pkg:deb/debian/login@4.5-1.1?arch=amd64\u0026epoch=1\u0026distro=debian-10.2", - "pkg:deb/debian/mawk@1.3.3-17+b3?arch=amd64\u0026distro=debian-10.2", + "pkg:deb/debian/libzstd1@1.3.8%2Bdfsg-3?arch=amd64\u0026distro=debian-10.2", + "pkg:deb/debian/login@4.5-1.1?arch=amd64\u0026distro=debian-10.2\u0026epoch=1", + "pkg:deb/debian/mawk@1.3.3-17%2Bb3?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/mount@2.33.1-0.1?arch=amd64\u0026distro=debian-10.2", - "pkg:deb/debian/ncurses-base@6.1+20181013-2+deb10u2?arch=all\u0026distro=debian-10.2", - "pkg:deb/debian/ncurses-bin@6.1+20181013-2+deb10u2?arch=amd64\u0026distro=debian-10.2", - "pkg:deb/debian/openssl@1.1.1d-0+deb10u2?arch=amd64\u0026distro=debian-10.2", - "pkg:deb/debian/passwd@4.5-1.1?arch=amd64\u0026epoch=1\u0026distro=debian-10.2", + "pkg:deb/debian/ncurses-base@6.1%2B20181013-2%2Bdeb10u2?arch=all\u0026distro=debian-10.2", + "pkg:deb/debian/ncurses-bin@6.1%2B20181013-2%2Bdeb10u2?arch=amd64\u0026distro=debian-10.2", + "pkg:deb/debian/openssl@1.1.1d-0%2Bdeb10u2?arch=amd64\u0026distro=debian-10.2", + "pkg:deb/debian/passwd@4.5-1.1?arch=amd64\u0026distro=debian-10.2\u0026epoch=1", "pkg:deb/debian/perl-base@5.28.1-6?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/rake@12.3.1-3?arch=all\u0026distro=debian-10.2", "pkg:deb/debian/readline-common@7.0-5?arch=all\u0026distro=debian-10.2", @@ -5833,22 +5833,22 @@ "pkg:deb/debian/ruby-power-assert@1.1.1-1?arch=all\u0026distro=debian-10.2", "pkg:deb/debian/ruby-test-unit@3.2.8-1?arch=all\u0026distro=debian-10.2", "pkg:deb/debian/ruby-xmlrpc@0.3.0-2?arch=all\u0026distro=debian-10.2", - "pkg:deb/debian/ruby2.5@2.5.5-3+deb10u1?arch=amd64\u0026distro=debian-10.2", - "pkg:deb/debian/ruby@2.5.1?arch=amd64\u0026epoch=1\u0026distro=debian-10.2", + "pkg:deb/debian/ruby2.5@2.5.5-3%2Bdeb10u1?arch=amd64\u0026distro=debian-10.2", + "pkg:deb/debian/ruby@2.5.1?arch=amd64\u0026distro=debian-10.2\u0026epoch=1", "pkg:deb/debian/rubygems-integration@1.11?arch=all\u0026distro=debian-10.2", "pkg:deb/debian/sed@4.7-1?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/sysvinit-utils@2.93-8?arch=amd64\u0026distro=debian-10.2", - "pkg:deb/debian/tar@1.30+dfsg-6?arch=amd64\u0026distro=debian-10.2", - "pkg:deb/debian/tzdata@2019c-0+deb10u1?arch=all\u0026distro=debian-10.2", + "pkg:deb/debian/tar@1.30%2Bdfsg-6?arch=amd64\u0026distro=debian-10.2", + "pkg:deb/debian/tzdata@2019c-0%2Bdeb10u1?arch=all\u0026distro=debian-10.2", "pkg:deb/debian/util-linux@2.33.1-0.1?arch=amd64\u0026distro=debian-10.2", - "pkg:deb/debian/zlib1g@1.2.11.dfsg-1?arch=amd64\u0026epoch=1\u0026distro=debian-10.2" + "pkg:deb/debian/zlib1g@1.2.11.dfsg-1?arch=amd64\u0026distro=debian-10.2\u0026epoch=1" ] }, { "ref": "pkg:deb/debian/adduser@3.118?arch=all\u0026distro=debian-10.2", "dependsOn": [ "pkg:deb/debian/debconf@1.5.71?arch=all\u0026distro=debian-10.2", - "pkg:deb/debian/passwd@4.5-1.1?arch=amd64\u0026epoch=1\u0026distro=debian-10.2" + "pkg:deb/debian/passwd@4.5-1.1?arch=amd64\u0026distro=debian-10.2\u0026epoch=1" ] }, { @@ -5856,17 +5856,17 @@ "dependsOn": [ "pkg:deb/debian/adduser@3.118?arch=all\u0026distro=debian-10.2", "pkg:deb/debian/debian-archive-keyring@2019.1?arch=all\u0026distro=debian-10.2", - "pkg:deb/debian/gpgv@2.2.12-1+deb10u1?arch=amd64\u0026distro=debian-10.2", + "pkg:deb/debian/gpgv@2.2.12-1%2Bdeb10u1?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libapt-pkg5.0@1.8.2?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libc6@2.28-10?arch=amd64\u0026distro=debian-10.2", - "pkg:deb/debian/libgcc1@8.3.0-6?arch=amd64\u0026epoch=1\u0026distro=debian-10.2", + "pkg:deb/debian/libgcc1@8.3.0-6?arch=amd64\u0026distro=debian-10.2\u0026epoch=1", "pkg:deb/debian/libgnutls30@3.6.7-4?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libseccomp2@2.3.3-4?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libstdc%2B%2B6@8.3.0-6?arch=amd64\u0026distro=debian-10.2" ] }, { - "ref": "pkg:deb/debian/base-files@10.3+deb10u2?arch=amd64\u0026distro=debian-10.2", + "ref": "pkg:deb/debian/base-files@10.3%2Bdeb10u2?arch=amd64\u0026distro=debian-10.2", "dependsOn": [] }, { @@ -5879,19 +5879,19 @@ { "ref": "pkg:deb/debian/bash@5.0-4?arch=amd64\u0026distro=debian-10.2", "dependsOn": [ - "pkg:deb/debian/base-files@10.3+deb10u2?arch=amd64\u0026distro=debian-10.2", + "pkg:deb/debian/base-files@10.3%2Bdeb10u2?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/debianutils@4.8.6.1?arch=amd64\u0026distro=debian-10.2" ] }, { - "ref": "pkg:deb/debian/bsdutils@2.33.1-0.1?arch=amd64\u0026epoch=1\u0026distro=debian-10.2", + "ref": "pkg:deb/debian/bsdutils@2.33.1-0.1?arch=amd64\u0026distro=debian-10.2\u0026epoch=1", "dependsOn": [] }, { "ref": "pkg:deb/debian/ca-certificates@20190110?arch=all\u0026distro=debian-10.2", "dependsOn": [ "pkg:deb/debian/debconf@1.5.71?arch=all\u0026distro=debian-10.2", - "pkg:deb/debian/openssl@1.1.1d-0+deb10u2?arch=amd64\u0026distro=debian-10.2" + "pkg:deb/debian/openssl@1.1.1d-0%2Bdeb10u2?arch=amd64\u0026distro=debian-10.2" ] }, { @@ -5919,17 +5919,17 @@ "dependsOn": [] }, { - "ref": "pkg:deb/debian/diffutils@3.7-3?arch=amd64\u0026epoch=1\u0026distro=debian-10.2", + "ref": "pkg:deb/debian/diffutils@3.7-3?arch=amd64\u0026distro=debian-10.2\u0026epoch=1", "dependsOn": [] }, { "ref": "pkg:deb/debian/dpkg@1.19.7?arch=amd64\u0026distro=debian-10.2", "dependsOn": [ - "pkg:deb/debian/tar@1.30+dfsg-6?arch=amd64\u0026distro=debian-10.2" + "pkg:deb/debian/tar@1.30%2Bdfsg-6?arch=amd64\u0026distro=debian-10.2" ] }, { - "ref": "pkg:deb/debian/e2fsprogs@1.44.5-1+deb10u2?arch=amd64\u0026distro=debian-10.2", + "ref": "pkg:deb/debian/e2fsprogs@1.44.5-1%2Bdeb10u2?arch=amd64\u0026distro=debian-10.2", "dependsOn": [] }, { @@ -5938,13 +5938,13 @@ "pkg:deb/debian/libc6@2.28-10?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libfdisk1@2.33.1-0.1?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libmount1@2.33.1-0.1?arch=amd64\u0026distro=debian-10.2", - "pkg:deb/debian/libncursesw6@6.1+20181013-2+deb10u2?arch=amd64\u0026distro=debian-10.2", + "pkg:deb/debian/libncursesw6@6.1%2B20181013-2%2Bdeb10u2?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libsmartcols1@2.33.1-0.1?arch=amd64\u0026distro=debian-10.2", - "pkg:deb/debian/libtinfo6@6.1+20181013-2+deb10u2?arch=amd64\u0026distro=debian-10.2" + "pkg:deb/debian/libtinfo6@6.1%2B20181013-2%2Bdeb10u2?arch=amd64\u0026distro=debian-10.2" ] }, { - "ref": "pkg:deb/debian/findutils@4.6.0+git+20190209-2?arch=amd64\u0026distro=debian-10.2", + "ref": "pkg:deb/debian/findutils@4.6.0%2Bgit%2B20190209-2?arch=amd64\u0026distro=debian-10.2", "dependsOn": [] }, { @@ -5952,13 +5952,13 @@ "dependsOn": [] }, { - "ref": "pkg:deb/debian/gpgv@2.2.12-1+deb10u1?arch=amd64\u0026distro=debian-10.2", + "ref": "pkg:deb/debian/gpgv@2.2.12-1%2Bdeb10u1?arch=amd64\u0026distro=debian-10.2", "dependsOn": [ "pkg:deb/debian/libbz2-1.0@1.0.6-9.2~deb10u1?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libc6@2.28-10?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libgcrypt20@1.8.4-5?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libgpg-error0@1.35-1?arch=amd64\u0026distro=debian-10.2", - "pkg:deb/debian/zlib1g@1.2.11.dfsg-1?arch=amd64\u0026epoch=1\u0026distro=debian-10.2" + "pkg:deb/debian/zlib1g@1.2.11.dfsg-1?arch=amd64\u0026distro=debian-10.2\u0026epoch=1" ] }, { @@ -5978,7 +5978,7 @@ "dependsOn": [] }, { - "ref": "pkg:deb/debian/init-system-helpers@1.56+nmu1?arch=all\u0026distro=debian-10.2", + "ref": "pkg:deb/debian/init-system-helpers@1.56%2Bnmu1?arch=all\u0026distro=debian-10.2", "dependsOn": [ "pkg:deb/debian/perl-base@5.28.1-6?arch=amd64\u0026distro=debian-10.2" ] @@ -5986,7 +5986,7 @@ { "ref": "pkg:deb/debian/libacl1@2.2.53-4?arch=amd64\u0026distro=debian-10.2", "dependsOn": [ - "pkg:deb/debian/libattr1@2.4.48-4?arch=amd64\u0026epoch=1\u0026distro=debian-10.2", + "pkg:deb/debian/libattr1@2.4.48-4?arch=amd64\u0026distro=debian-10.2\u0026epoch=1", "pkg:deb/debian/libc6@2.28-10?arch=amd64\u0026distro=debian-10.2" ] }, @@ -5995,30 +5995,30 @@ "dependsOn": [ "pkg:deb/debian/libbz2-1.0@1.0.6-9.2~deb10u1?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libc6@2.28-10?arch=amd64\u0026distro=debian-10.2", - "pkg:deb/debian/libgcc1@8.3.0-6?arch=amd64\u0026epoch=1\u0026distro=debian-10.2", + "pkg:deb/debian/libgcc1@8.3.0-6?arch=amd64\u0026distro=debian-10.2\u0026epoch=1", "pkg:deb/debian/liblz4-1@1.8.3-1?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/liblzma5@5.2.4-1?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libstdc%2B%2B6@8.3.0-6?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libsystemd0@241-7~deb10u2?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libudev1@241-7~deb10u2?arch=amd64\u0026distro=debian-10.2", - "pkg:deb/debian/libzstd1@1.3.8+dfsg-3?arch=amd64\u0026distro=debian-10.2", - "pkg:deb/debian/zlib1g@1.2.11.dfsg-1?arch=amd64\u0026epoch=1\u0026distro=debian-10.2" + "pkg:deb/debian/libzstd1@1.3.8%2Bdfsg-3?arch=amd64\u0026distro=debian-10.2", + "pkg:deb/debian/zlib1g@1.2.11.dfsg-1?arch=amd64\u0026distro=debian-10.2\u0026epoch=1" ] }, { - "ref": "pkg:deb/debian/libattr1@2.4.48-4?arch=amd64\u0026epoch=1\u0026distro=debian-10.2", + "ref": "pkg:deb/debian/libattr1@2.4.48-4?arch=amd64\u0026distro=debian-10.2\u0026epoch=1", "dependsOn": [ "pkg:deb/debian/libc6@2.28-10?arch=amd64\u0026distro=debian-10.2" ] }, { - "ref": "pkg:deb/debian/libaudit-common@2.8.4-3?arch=all\u0026epoch=1\u0026distro=debian-10.2", + "ref": "pkg:deb/debian/libaudit-common@2.8.4-3?arch=all\u0026distro=debian-10.2\u0026epoch=1", "dependsOn": [] }, { - "ref": "pkg:deb/debian/libaudit1@2.8.4-3?arch=amd64\u0026epoch=1\u0026distro=debian-10.2", + "ref": "pkg:deb/debian/libaudit1@2.8.4-3?arch=amd64\u0026distro=debian-10.2\u0026epoch=1", "dependsOn": [ - "pkg:deb/debian/libaudit-common@2.8.4-3?arch=all\u0026epoch=1\u0026distro=debian-10.2", + "pkg:deb/debian/libaudit-common@2.8.4-3?arch=all\u0026distro=debian-10.2\u0026epoch=1", "pkg:deb/debian/libc6@2.28-10?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libcap-ng0@0.7.9-2?arch=amd64\u0026distro=debian-10.2" ] @@ -6045,7 +6045,7 @@ { "ref": "pkg:deb/debian/libc6@2.28-10?arch=amd64\u0026distro=debian-10.2", "dependsOn": [ - "pkg:deb/debian/libgcc1@8.3.0-6?arch=amd64\u0026epoch=1\u0026distro=debian-10.2" + "pkg:deb/debian/libgcc1@8.3.0-6?arch=amd64\u0026distro=debian-10.2\u0026epoch=1" ] }, { @@ -6055,13 +6055,13 @@ ] }, { - "ref": "pkg:deb/debian/libcom-err2@1.44.5-1+deb10u2?arch=amd64\u0026distro=debian-10.2", + "ref": "pkg:deb/debian/libcom-err2@1.44.5-1%2Bdeb10u2?arch=amd64\u0026distro=debian-10.2", "dependsOn": [ "pkg:deb/debian/libc6@2.28-10?arch=amd64\u0026distro=debian-10.2" ] }, { - "ref": "pkg:deb/debian/libdb5.3@5.3.28+dfsg1-0.5?arch=amd64\u0026distro=debian-10.2", + "ref": "pkg:deb/debian/libdb5.3@5.3.28%2Bdfsg1-0.5?arch=amd64\u0026distro=debian-10.2", "dependsOn": [ "pkg:deb/debian/libc6@2.28-10?arch=amd64\u0026distro=debian-10.2" ] @@ -6073,7 +6073,7 @@ ] }, { - "ref": "pkg:deb/debian/libext2fs2@1.44.5-1+deb10u2?arch=amd64\u0026distro=debian-10.2", + "ref": "pkg:deb/debian/libext2fs2@1.44.5-1%2Bdeb10u2?arch=amd64\u0026distro=debian-10.2", "dependsOn": [ "pkg:deb/debian/libc6@2.28-10?arch=amd64\u0026distro=debian-10.2" ] @@ -6093,7 +6093,7 @@ ] }, { - "ref": "pkg:deb/debian/libgcc1@8.3.0-6?arch=amd64\u0026epoch=1\u0026distro=debian-10.2", + "ref": "pkg:deb/debian/libgcc1@8.3.0-6?arch=amd64\u0026distro=debian-10.2\u0026epoch=1", "dependsOn": [ "pkg:deb/debian/gcc-8-base@8.3.0-6?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libc6@2.28-10?arch=amd64\u0026distro=debian-10.2" @@ -6120,7 +6120,7 @@ ] }, { - "ref": "pkg:deb/debian/libgmp10@6.1.2+dfsg-4?arch=amd64\u0026epoch=2\u0026distro=debian-10.2", + "ref": "pkg:deb/debian/libgmp10@6.1.2%2Bdfsg-4?arch=amd64\u0026distro=debian-10.2\u0026epoch=2", "dependsOn": [ "pkg:deb/debian/libc6@2.28-10?arch=amd64\u0026distro=debian-10.2" ] @@ -6129,7 +6129,7 @@ "ref": "pkg:deb/debian/libgnutls30@3.6.7-4?arch=amd64\u0026distro=debian-10.2", "dependsOn": [ "pkg:deb/debian/libc6@2.28-10?arch=amd64\u0026distro=debian-10.2", - "pkg:deb/debian/libgmp10@6.1.2+dfsg-4?arch=amd64\u0026epoch=2\u0026distro=debian-10.2", + "pkg:deb/debian/libgmp10@6.1.2%2Bdfsg-4?arch=amd64\u0026distro=debian-10.2\u0026epoch=2", "pkg:deb/debian/libhogweed4@3.4.1-1?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libidn2-0@2.0.5-1?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libnettle6@3.4.1-1?arch=amd64\u0026distro=debian-10.2", @@ -6148,7 +6148,7 @@ "ref": "pkg:deb/debian/libhogweed4@3.4.1-1?arch=amd64\u0026distro=debian-10.2", "dependsOn": [ "pkg:deb/debian/libc6@2.28-10?arch=amd64\u0026distro=debian-10.2", - "pkg:deb/debian/libgmp10@6.1.2+dfsg-4?arch=amd64\u0026epoch=2\u0026distro=debian-10.2", + "pkg:deb/debian/libgmp10@6.1.2%2Bdfsg-4?arch=amd64\u0026distro=debian-10.2\u0026epoch=2", "pkg:deb/debian/libnettle6@3.4.1-1?arch=amd64\u0026distro=debian-10.2" ] }, @@ -6163,7 +6163,7 @@ "ref": "pkg:deb/debian/libjemalloc2@5.1.0-3?arch=amd64\u0026distro=debian-10.2", "dependsOn": [ "pkg:deb/debian/libc6@2.28-10?arch=amd64\u0026distro=debian-10.2", - "pkg:deb/debian/libgcc1@8.3.0-6?arch=amd64\u0026epoch=1\u0026distro=debian-10.2", + "pkg:deb/debian/libgcc1@8.3.0-6?arch=amd64\u0026distro=debian-10.2\u0026epoch=1", "pkg:deb/debian/libstdc%2B%2B6@8.3.0-6?arch=amd64\u0026distro=debian-10.2" ] }, @@ -6184,21 +6184,21 @@ "dependsOn": [ "pkg:deb/debian/libblkid1@2.33.1-0.1?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libc6@2.28-10?arch=amd64\u0026distro=debian-10.2", - "pkg:deb/debian/libselinux1@2.8-1+b1?arch=amd64\u0026distro=debian-10.2" + "pkg:deb/debian/libselinux1@2.8-1%2Bb1?arch=amd64\u0026distro=debian-10.2" ] }, { - "ref": "pkg:deb/debian/libncurses6@6.1+20181013-2+deb10u2?arch=amd64\u0026distro=debian-10.2", + "ref": "pkg:deb/debian/libncurses6@6.1%2B20181013-2%2Bdeb10u2?arch=amd64\u0026distro=debian-10.2", "dependsOn": [ "pkg:deb/debian/libc6@2.28-10?arch=amd64\u0026distro=debian-10.2", - "pkg:deb/debian/libtinfo6@6.1+20181013-2+deb10u2?arch=amd64\u0026distro=debian-10.2" + "pkg:deb/debian/libtinfo6@6.1%2B20181013-2%2Bdeb10u2?arch=amd64\u0026distro=debian-10.2" ] }, { - "ref": "pkg:deb/debian/libncursesw6@6.1+20181013-2+deb10u2?arch=amd64\u0026distro=debian-10.2", + "ref": "pkg:deb/debian/libncursesw6@6.1%2B20181013-2%2Bdeb10u2?arch=amd64\u0026distro=debian-10.2", "dependsOn": [ "pkg:deb/debian/libc6@2.28-10?arch=amd64\u0026distro=debian-10.2", - "pkg:deb/debian/libtinfo6@6.1+20181013-2+deb10u2?arch=amd64\u0026distro=debian-10.2" + "pkg:deb/debian/libtinfo6@6.1%2B20181013-2%2Bdeb10u2?arch=amd64\u0026distro=debian-10.2" ] }, { @@ -6217,10 +6217,10 @@ { "ref": "pkg:deb/debian/libpam-modules-bin@1.3.1-5?arch=amd64\u0026distro=debian-10.2", "dependsOn": [ - "pkg:deb/debian/libaudit1@2.8.4-3?arch=amd64\u0026epoch=1\u0026distro=debian-10.2", + "pkg:deb/debian/libaudit1@2.8.4-3?arch=amd64\u0026distro=debian-10.2\u0026epoch=1", "pkg:deb/debian/libc6@2.28-10?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libpam0g@1.3.1-5?arch=amd64\u0026distro=debian-10.2", - "pkg:deb/debian/libselinux1@2.8-1+b1?arch=amd64\u0026distro=debian-10.2" + "pkg:deb/debian/libselinux1@2.8-1%2Bb1?arch=amd64\u0026distro=debian-10.2" ] }, { @@ -6238,12 +6238,12 @@ "ref": "pkg:deb/debian/libpam0g@1.3.1-5?arch=amd64\u0026distro=debian-10.2", "dependsOn": [ "pkg:deb/debian/debconf@1.5.71?arch=all\u0026distro=debian-10.2", - "pkg:deb/debian/libaudit1@2.8.4-3?arch=amd64\u0026epoch=1\u0026distro=debian-10.2", + "pkg:deb/debian/libaudit1@2.8.4-3?arch=amd64\u0026distro=debian-10.2\u0026epoch=1", "pkg:deb/debian/libc6@2.28-10?arch=amd64\u0026distro=debian-10.2" ] }, { - "ref": "pkg:deb/debian/libpcre3@8.39-12?arch=amd64\u0026epoch=2\u0026distro=debian-10.2", + "ref": "pkg:deb/debian/libpcre3@8.39-12?arch=amd64\u0026distro=debian-10.2\u0026epoch=2", "dependsOn": [ "pkg:deb/debian/libc6@2.28-10?arch=amd64\u0026distro=debian-10.2" ] @@ -6252,22 +6252,22 @@ "ref": "pkg:deb/debian/libreadline7@7.0-5?arch=amd64\u0026distro=debian-10.2", "dependsOn": [ "pkg:deb/debian/libc6@2.28-10?arch=amd64\u0026distro=debian-10.2", - "pkg:deb/debian/libtinfo6@6.1+20181013-2+deb10u2?arch=amd64\u0026distro=debian-10.2", + "pkg:deb/debian/libtinfo6@6.1%2B20181013-2%2Bdeb10u2?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/readline-common@7.0-5?arch=all\u0026distro=debian-10.2" ] }, { - "ref": "pkg:deb/debian/libruby2.5@2.5.5-3+deb10u1?arch=amd64\u0026distro=debian-10.2", + "ref": "pkg:deb/debian/libruby2.5@2.5.5-3%2Bdeb10u1?arch=amd64\u0026distro=debian-10.2", "dependsOn": [ "pkg:deb/debian/libc6@2.28-10?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libffi6@3.2.1-9?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libgdbm-compat4@1.18.1-4?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libgdbm6@1.18.1-4?arch=amd64\u0026distro=debian-10.2", - "pkg:deb/debian/libgmp10@6.1.2+dfsg-4?arch=amd64\u0026epoch=2\u0026distro=debian-10.2", - "pkg:deb/debian/libncurses6@6.1+20181013-2+deb10u2?arch=amd64\u0026distro=debian-10.2", + "pkg:deb/debian/libgmp10@6.1.2%2Bdfsg-4?arch=amd64\u0026distro=debian-10.2\u0026epoch=2", + "pkg:deb/debian/libncurses6@6.1%2B20181013-2%2Bdeb10u2?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libreadline7@7.0-5?arch=amd64\u0026distro=debian-10.2", - "pkg:deb/debian/libssl1.1@1.1.1d-0+deb10u2?arch=amd64\u0026distro=debian-10.2", - "pkg:deb/debian/libtinfo6@6.1+20181013-2+deb10u2?arch=amd64\u0026distro=debian-10.2", + "pkg:deb/debian/libssl1.1@1.1.1d-0%2Bdeb10u2?arch=amd64\u0026distro=debian-10.2", + "pkg:deb/debian/libtinfo6@6.1%2B20181013-2%2Bdeb10u2?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libyaml-0-2@0.2.1-1?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/rake@12.3.1-3?arch=all\u0026distro=debian-10.2", "pkg:deb/debian/ruby-did-you-mean@1.2.1-1?arch=all\u0026distro=debian-10.2", @@ -6275,7 +6275,7 @@ "pkg:deb/debian/ruby-net-telnet@0.1.1-2?arch=all\u0026distro=debian-10.2", "pkg:deb/debian/ruby-test-unit@3.2.8-1?arch=all\u0026distro=debian-10.2", "pkg:deb/debian/ruby-xmlrpc@0.3.0-2?arch=all\u0026distro=debian-10.2", - "pkg:deb/debian/zlib1g@1.2.11.dfsg-1?arch=amd64\u0026epoch=1\u0026distro=debian-10.2" + "pkg:deb/debian/zlib1g@1.2.11.dfsg-1?arch=amd64\u0026distro=debian-10.2\u0026epoch=1" ] }, { @@ -6285,10 +6285,10 @@ ] }, { - "ref": "pkg:deb/debian/libselinux1@2.8-1+b1?arch=amd64\u0026distro=debian-10.2", + "ref": "pkg:deb/debian/libselinux1@2.8-1%2Bb1?arch=amd64\u0026distro=debian-10.2", "dependsOn": [ "pkg:deb/debian/libc6@2.28-10?arch=amd64\u0026distro=debian-10.2", - "pkg:deb/debian/libpcre3@8.39-12?arch=amd64\u0026epoch=2\u0026distro=debian-10.2" + "pkg:deb/debian/libpcre3@8.39-12?arch=amd64\u0026distro=debian-10.2\u0026epoch=2" ] }, { @@ -6298,10 +6298,10 @@ { "ref": "pkg:deb/debian/libsemanage1@2.8-2?arch=amd64\u0026distro=debian-10.2", "dependsOn": [ - "pkg:deb/debian/libaudit1@2.8.4-3?arch=amd64\u0026epoch=1\u0026distro=debian-10.2", + "pkg:deb/debian/libaudit1@2.8.4-3?arch=amd64\u0026distro=debian-10.2\u0026epoch=1", "pkg:deb/debian/libbz2-1.0@1.0.6-9.2~deb10u1?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libc6@2.28-10?arch=amd64\u0026distro=debian-10.2", - "pkg:deb/debian/libselinux1@2.8-1+b1?arch=amd64\u0026distro=debian-10.2", + "pkg:deb/debian/libselinux1@2.8-1%2Bb1?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libsemanage-common@2.8-2?arch=all\u0026distro=debian-10.2", "pkg:deb/debian/libsepol1@2.8-1?arch=amd64\u0026distro=debian-10.2" ] @@ -6319,14 +6319,14 @@ ] }, { - "ref": "pkg:deb/debian/libss2@1.44.5-1+deb10u2?arch=amd64\u0026distro=debian-10.2", + "ref": "pkg:deb/debian/libss2@1.44.5-1%2Bdeb10u2?arch=amd64\u0026distro=debian-10.2", "dependsOn": [ "pkg:deb/debian/libc6@2.28-10?arch=amd64\u0026distro=debian-10.2", - "pkg:deb/debian/libcom-err2@1.44.5-1+deb10u2?arch=amd64\u0026distro=debian-10.2" + "pkg:deb/debian/libcom-err2@1.44.5-1%2Bdeb10u2?arch=amd64\u0026distro=debian-10.2" ] }, { - "ref": "pkg:deb/debian/libssl1.1@1.1.1d-0+deb10u2?arch=amd64\u0026distro=debian-10.2", + "ref": "pkg:deb/debian/libssl1.1@1.1.1d-0%2Bdeb10u2?arch=amd64\u0026distro=debian-10.2", "dependsOn": [ "pkg:deb/debian/debconf@1.5.71?arch=all\u0026distro=debian-10.2", "pkg:deb/debian/libc6@2.28-10?arch=amd64\u0026distro=debian-10.2" @@ -6337,7 +6337,7 @@ "dependsOn": [ "pkg:deb/debian/gcc-8-base@8.3.0-6?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libc6@2.28-10?arch=amd64\u0026distro=debian-10.2", - "pkg:deb/debian/libgcc1@8.3.0-6?arch=amd64\u0026epoch=1\u0026distro=debian-10.2" + "pkg:deb/debian/libgcc1@8.3.0-6?arch=amd64\u0026distro=debian-10.2\u0026epoch=1" ] }, { @@ -6351,7 +6351,7 @@ ] }, { - "ref": "pkg:deb/debian/libtinfo6@6.1+20181013-2+deb10u2?arch=amd64\u0026distro=debian-10.2", + "ref": "pkg:deb/debian/libtinfo6@6.1%2B20181013-2%2Bdeb10u2?arch=amd64\u0026distro=debian-10.2", "dependsOn": [ "pkg:deb/debian/libc6@2.28-10?arch=amd64\u0026distro=debian-10.2" ] @@ -6381,17 +6381,17 @@ ] }, { - "ref": "pkg:deb/debian/libzstd1@1.3.8+dfsg-3?arch=amd64\u0026distro=debian-10.2", + "ref": "pkg:deb/debian/libzstd1@1.3.8%2Bdfsg-3?arch=amd64\u0026distro=debian-10.2", "dependsOn": [ "pkg:deb/debian/libc6@2.28-10?arch=amd64\u0026distro=debian-10.2" ] }, { - "ref": "pkg:deb/debian/login@4.5-1.1?arch=amd64\u0026epoch=1\u0026distro=debian-10.2", + "ref": "pkg:deb/debian/login@4.5-1.1?arch=amd64\u0026distro=debian-10.2\u0026epoch=1", "dependsOn": [] }, { - "ref": "pkg:deb/debian/mawk@1.3.3-17+b3?arch=amd64\u0026distro=debian-10.2", + "ref": "pkg:deb/debian/mawk@1.3.3-17%2Bb3?arch=amd64\u0026distro=debian-10.2", "dependsOn": [] }, { @@ -6401,28 +6401,28 @@ ] }, { - "ref": "pkg:deb/debian/ncurses-base@6.1+20181013-2+deb10u2?arch=all\u0026distro=debian-10.2", + "ref": "pkg:deb/debian/ncurses-base@6.1%2B20181013-2%2Bdeb10u2?arch=all\u0026distro=debian-10.2", "dependsOn": [] }, { - "ref": "pkg:deb/debian/ncurses-bin@6.1+20181013-2+deb10u2?arch=amd64\u0026distro=debian-10.2", + "ref": "pkg:deb/debian/ncurses-bin@6.1%2B20181013-2%2Bdeb10u2?arch=amd64\u0026distro=debian-10.2", "dependsOn": [] }, { - "ref": "pkg:deb/debian/openssl@1.1.1d-0+deb10u2?arch=amd64\u0026distro=debian-10.2", + "ref": "pkg:deb/debian/openssl@1.1.1d-0%2Bdeb10u2?arch=amd64\u0026distro=debian-10.2", "dependsOn": [ "pkg:deb/debian/libc6@2.28-10?arch=amd64\u0026distro=debian-10.2", - "pkg:deb/debian/libssl1.1@1.1.1d-0+deb10u2?arch=amd64\u0026distro=debian-10.2" + "pkg:deb/debian/libssl1.1@1.1.1d-0%2Bdeb10u2?arch=amd64\u0026distro=debian-10.2" ] }, { - "ref": "pkg:deb/debian/passwd@4.5-1.1?arch=amd64\u0026epoch=1\u0026distro=debian-10.2", + "ref": "pkg:deb/debian/passwd@4.5-1.1?arch=amd64\u0026distro=debian-10.2\u0026epoch=1", "dependsOn": [ - "pkg:deb/debian/libaudit1@2.8.4-3?arch=amd64\u0026epoch=1\u0026distro=debian-10.2", + "pkg:deb/debian/libaudit1@2.8.4-3?arch=amd64\u0026distro=debian-10.2\u0026epoch=1", "pkg:deb/debian/libc6@2.28-10?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libpam-modules@1.3.1-5?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libpam0g@1.3.1-5?arch=amd64\u0026distro=debian-10.2", - "pkg:deb/debian/libselinux1@2.8-1+b1?arch=amd64\u0026distro=debian-10.2", + "pkg:deb/debian/libselinux1@2.8-1%2Bb1?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/libsemanage1@2.8-2?arch=amd64\u0026distro=debian-10.2" ] }, @@ -6433,7 +6433,7 @@ { "ref": "pkg:deb/debian/rake@12.3.1-3?arch=all\u0026distro=debian-10.2", "dependsOn": [ - "pkg:deb/debian/ruby@2.5.1?arch=amd64\u0026epoch=1\u0026distro=debian-10.2" + "pkg:deb/debian/ruby@2.5.1?arch=amd64\u0026distro=debian-10.2\u0026epoch=1" ] }, { @@ -6469,18 +6469,18 @@ "dependsOn": [] }, { - "ref": "pkg:deb/debian/ruby2.5@2.5.5-3+deb10u1?arch=amd64\u0026distro=debian-10.2", + "ref": "pkg:deb/debian/ruby2.5@2.5.5-3%2Bdeb10u1?arch=amd64\u0026distro=debian-10.2", "dependsOn": [ "pkg:deb/debian/libc6@2.28-10?arch=amd64\u0026distro=debian-10.2", - "pkg:deb/debian/libgmp10@6.1.2+dfsg-4?arch=amd64\u0026epoch=2\u0026distro=debian-10.2", - "pkg:deb/debian/libruby2.5@2.5.5-3+deb10u1?arch=amd64\u0026distro=debian-10.2", + "pkg:deb/debian/libgmp10@6.1.2%2Bdfsg-4?arch=amd64\u0026distro=debian-10.2\u0026epoch=2", + "pkg:deb/debian/libruby2.5@2.5.5-3%2Bdeb10u1?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/rubygems-integration@1.11?arch=all\u0026distro=debian-10.2" ] }, { - "ref": "pkg:deb/debian/ruby@2.5.1?arch=amd64\u0026epoch=1\u0026distro=debian-10.2", + "ref": "pkg:deb/debian/ruby@2.5.1?arch=amd64\u0026distro=debian-10.2\u0026epoch=1", "dependsOn": [ - "pkg:deb/debian/ruby2.5@2.5.5-3+deb10u1?arch=amd64\u0026distro=debian-10.2" + "pkg:deb/debian/ruby2.5@2.5.5-3%2Bdeb10u1?arch=amd64\u0026distro=debian-10.2" ] }, { @@ -6496,17 +6496,17 @@ { "ref": "pkg:deb/debian/sysvinit-utils@2.93-8?arch=amd64\u0026distro=debian-10.2", "dependsOn": [ - "pkg:deb/debian/init-system-helpers@1.56+nmu1?arch=all\u0026distro=debian-10.2", + "pkg:deb/debian/init-system-helpers@1.56%2Bnmu1?arch=all\u0026distro=debian-10.2", "pkg:deb/debian/libc6@2.28-10?arch=amd64\u0026distro=debian-10.2", "pkg:deb/debian/util-linux@2.33.1-0.1?arch=amd64\u0026distro=debian-10.2" ] }, { - "ref": "pkg:deb/debian/tar@1.30+dfsg-6?arch=amd64\u0026distro=debian-10.2", + "ref": "pkg:deb/debian/tar@1.30%2Bdfsg-6?arch=amd64\u0026distro=debian-10.2", "dependsOn": [] }, { - "ref": "pkg:deb/debian/tzdata@2019c-0+deb10u1?arch=all\u0026distro=debian-10.2", + "ref": "pkg:deb/debian/tzdata@2019c-0%2Bdeb10u1?arch=all\u0026distro=debian-10.2", "dependsOn": [ "pkg:deb/debian/debconf@1.5.71?arch=all\u0026distro=debian-10.2" ] @@ -6515,11 +6515,11 @@ "ref": "pkg:deb/debian/util-linux@2.33.1-0.1?arch=amd64\u0026distro=debian-10.2", "dependsOn": [ "pkg:deb/debian/fdisk@2.33.1-0.1?arch=amd64\u0026distro=debian-10.2", - "pkg:deb/debian/login@4.5-1.1?arch=amd64\u0026epoch=1\u0026distro=debian-10.2" + "pkg:deb/debian/login@4.5-1.1?arch=amd64\u0026distro=debian-10.2\u0026epoch=1" ] }, { - "ref": "pkg:deb/debian/zlib1g@1.2.11.dfsg-1?arch=amd64\u0026epoch=1\u0026distro=debian-10.2", + "ref": "pkg:deb/debian/zlib1g@1.2.11.dfsg-1?arch=amd64\u0026distro=debian-10.2\u0026epoch=1", "dependsOn": [ "pkg:deb/debian/libc6@2.28-10?arch=amd64\u0026distro=debian-10.2" ] diff --git a/mkdocs.yml b/mkdocs.yml index c1e504fcb3b6..334ea52a4d70 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -76,7 +76,6 @@ nav: - CentOS: docs/coverage/os/centos.md - Chainguard: docs/coverage/os/chainguard.md - Debian: docs/coverage/os/debian.md - - Google Distroless: docs/coverage/os/google-distroless.md - Oracle Linux: docs/coverage/os/oracle.md - Photon OS: docs/coverage/os/photon.md - Red Hat: docs/coverage/os/rhel.md @@ -84,6 +83,8 @@ nav: - SUSE: docs/coverage/os/suse.md - Ubuntu: docs/coverage/os/ubuntu.md - Wolfi: docs/coverage/os/wolfi.md + - Google Distroless (Images): docs/coverage/os/google-distroless.md + - Bitnami (Images): docs/coverage/os/bitnami.md - Language: - Overview: docs/coverage/language/index.md - C/C++: docs/coverage/language/c.md diff --git a/pkg/detector/library/driver.go b/pkg/detector/library/driver.go index 52d0196efbd2..ae290ee503ed 100644 --- a/pkg/detector/library/driver.go +++ b/pkg/detector/library/driver.go @@ -65,6 +65,9 @@ func NewDriver(libType string) (Driver, bool) { // https://www.swift.org/package-manager/#importing-dependencies ecosystem = vulnerability.Swift comparer = compare.GenericComparer{} + case ftypes.Bitnami: + ecosystem = vulnerability.Bitnami + comparer = compare.GenericComparer{} case ftypes.Cocoapods: // CocoaPods uses RubyGems version specifiers // https://guides.cocoapods.org/making/making-a-cocoapod.html#cocoapods-versioning-specifics diff --git a/pkg/fanal/analyzer/analyzer.go b/pkg/fanal/analyzer/analyzer.go index 1a781c5eabb5..32168e56061a 100644 --- a/pkg/fanal/analyzer/analyzer.go +++ b/pkg/fanal/analyzer/analyzer.go @@ -194,7 +194,10 @@ func (r *AnalysisResult) Sort() { // Language-specific packages sort.Slice(r.Applications, func(i, j int) bool { - return r.Applications[i].FilePath < r.Applications[j].FilePath + if r.Applications[i].FilePath != r.Applications[j].FilePath { + return r.Applications[i].FilePath < r.Applications[j].FilePath + } + return r.Applications[i].Type < r.Applications[j].Type }) for _, app := range r.Applications { diff --git a/pkg/fanal/analyzer/sbom/sbom.go b/pkg/fanal/analyzer/sbom/sbom.go index d3d26b81a293..1f8b62af2fd6 100644 --- a/pkg/fanal/analyzer/sbom/sbom.go +++ b/pkg/fanal/analyzer/sbom/sbom.go @@ -9,7 +9,9 @@ import ( "golang.org/x/xerrors" "github.com/aquasecurity/trivy/pkg/fanal/analyzer" + ftypes "github.com/aquasecurity/trivy/pkg/fanal/types" "github.com/aquasecurity/trivy/pkg/sbom" + "github.com/aquasecurity/trivy/pkg/types" ) func init() { @@ -39,26 +41,12 @@ func (a sbomAnalyzer) Analyze(_ context.Context, input analyzer.AnalysisInput) ( return nil, xerrors.Errorf("SBOM decode error: %w", err) } - // For Bitnami images + // Bitnami images + // SPDX files are located under the /opt/bitnami/ directory + // and named with the pattern .spdx-.spdx + // ref: https://github.com/bitnami/vulndb#how-to-consume-this-cve-feed if strings.HasPrefix(input.FilePath, "opt/bitnami/") { - dir, file := path.Split(input.FilePath) - bin := strings.TrimPrefix(file, ".spdx-") - bin = strings.TrimSuffix(bin, ".spdx") - binPath := path.Join(input.FilePath, "../bin", bin) - for i, app := range bom.Applications { - // Replace the SBOM path with the binary path - bom.Applications[i].FilePath = binPath - - for j, pkg := range app.Libraries { - if pkg.FilePath == "" { - continue - } - // Set the absolute path since SBOM in Bitnami images contain a relative path - // e.g. modules/apm/elastic-apm-agent-1.36.0.jar - // => opt/bitnami/elasticsearch/modules/apm/elastic-apm-agent-1.36.0.jar - bom.Applications[i].Libraries[j].FilePath = path.Join(dir, pkg.FilePath) - } - } + handleBitnamiImages(path.Dir(input.FilePath), bom) } return &analyzer.AnalysisResult{ @@ -83,3 +71,22 @@ func (a sbomAnalyzer) Type() analyzer.Type { func (a sbomAnalyzer) Version() int { return version } + +func handleBitnamiImages(componentPath string, bom types.SBOM) { + for i, app := range bom.Applications { + if app.Type == ftypes.Bitnami { + // Set the component dir path to the application + bom.Applications[i].FilePath = componentPath + // Either Application.FilePath or Application.Libraries[].FilePath should be set + continue + } + + for j, pkg := range app.Libraries { + // Set the absolute path since SBOM in Bitnami images contain a relative path + // e.g. modules/apm/elastic-apm-agent-1.36.0.jar + // => opt/bitnami/elasticsearch/modules/apm/elastic-apm-agent-1.36.0.jar + // If the file path is empty, the file path will be set to the component dir path. + bom.Applications[i].Libraries[j].FilePath = path.Join(componentPath, pkg.FilePath) + } + } +} diff --git a/pkg/fanal/analyzer/sbom/sbom_test.go b/pkg/fanal/analyzer/sbom/sbom_test.go index 21e83b7fb5e8..e6168cf60711 100644 --- a/pkg/fanal/analyzer/sbom/sbom_test.go +++ b/pkg/fanal/analyzer/sbom/sbom_test.go @@ -2,41 +2,68 @@ package sbom import ( "context" + "os" + "testing" + "github.com/aquasecurity/trivy/pkg/fanal/analyzer" "github.com/aquasecurity/trivy/pkg/fanal/types" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "os" - "testing" ) func Test_sbomAnalyzer_Analyze(t *testing.T) { tests := []struct { - name string - file string - want *analyzer.AnalysisResult - wantErr require.ErrorAssertionFunc + name string + file string + filePath string + want *analyzer.AnalysisResult + wantErr require.ErrorAssertionFunc }{ { - name: "valid spdx file", - file: "testdata/spdx.json", + name: "valid elasticsearch spdx file", + file: "testdata/elasticsearch.spdx.json", + filePath: "opt/bitnami/elasticsearch/.spdx-elasticsearch.spdx", want: &analyzer.AnalysisResult{ Applications: []types.Application{ { - Type: types.Jar, - FilePath: "opt/bitnami/bin/elasticsearch", + Type: types.Jar, Libraries: types.Packages{ { - FilePath: "opt/bitnami/modules/apm/elastic-apm-agent-1.36.0.jar", Name: "co.elastic.apm:apm-agent", Version: "1.36.0", Ref: "pkg:maven/co.elastic.apm/apm-agent@1.36.0", + FilePath: "opt/bitnami/elasticsearch", }, { - FilePath: "opt/bitnami/modules/apm/elastic-apm-agent-1.36.0.jar", Name: "co.elastic.apm:apm-agent-cached-lookup-key", Version: "1.36.0", Ref: "pkg:maven/co.elastic.apm/apm-agent-cached-lookup-key@1.36.0", + FilePath: "opt/bitnami/elasticsearch", + }, + { + Name: "co.elastic.apm:apm-agent-common", + Version: "1.36.0", + Ref: "pkg:maven/co.elastic.apm/apm-agent-common@1.36.0", + FilePath: "opt/bitnami/elasticsearch", + }, + { + Name: "co.elastic.apm:apm-agent-core", + Version: "1.36.0", + Ref: "pkg:maven/co.elastic.apm/apm-agent-core@1.36.0", + FilePath: "opt/bitnami/elasticsearch", + }, + }, + }, + { + Type: types.Bitnami, + FilePath: "opt/bitnami/elasticsearch", + Libraries: types.Packages{ + { + Name: "elasticsearch", + Version: "8.9.1", + Ref: "pkg:bitnami/elasticsearch@8.9.1?arch=arm64", + Arch: "arm64", + Licenses: []string{"Elastic-2.0"}, }, }, }, @@ -45,22 +72,22 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) { wantErr: require.NoError, }, { - name: "valid cdx file", - file: "testdata/cdx.json", + name: "valid elasticsearch cdx file", + file: "testdata/cdx.json", + filePath: "opt/bitnami/elasticsearch/.spdx-elasticsearch.cdx", want: &analyzer.AnalysisResult{ Applications: []types.Application{ { - Type: types.Jar, - FilePath: "opt/bitnami/bin/elasticsearch", + Type: types.Jar, Libraries: types.Packages{ { - FilePath: "opt/bitnami/modules/apm/elastic-apm-agent-1.36.0.jar", + FilePath: "opt/bitnami/elasticsearch/modules/apm/elastic-apm-agent-1.36.0.jar", Name: "co.elastic.apm:apm-agent", Version: "1.36.0", Ref: "pkg:maven/co.elastic.apm/apm-agent@1.36.0", }, { - FilePath: "opt/bitnami/modules/apm/elastic-apm-agent-1.36.0.jar", + FilePath: "opt/bitnami/elasticsearch/modules/apm/elastic-apm-agent-1.36.0.jar", Name: "co.elastic.apm:apm-agent-cached-lookup-key", Version: "1.36.0", Ref: "pkg:maven/co.elastic.apm/apm-agent-cached-lookup-key@1.36.0", @@ -72,10 +99,51 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) { wantErr: require.NoError, }, { - name: "invalid spdx file", - file: "testdata/invalid_spdx.json", - want: nil, - wantErr: require.Error, + name: "valid postgresql spdx file", + file: "testdata/postgresql.spdx.json", + filePath: "opt/bitnami/postgresql/.spdx-postgresql.spdx", + want: &analyzer.AnalysisResult{ + Applications: []types.Application{ + { + Type: types.Bitnami, + FilePath: "opt/bitnami/postgresql", + Libraries: types.Packages{ + { + Name: "gdal", + Version: "3.7.1", + Ref: "pkg:bitnami/gdal@3.7.1", + Licenses: []string{"MIT"}, + }, + { + Name: "geos", + Version: "3.8.3", + Ref: "pkg:bitnami/geos@3.8.3", + Licenses: []string{"LGPL-2.1-only"}, + }, + { + Name: "postgresql", + Version: "15.3.0", + Ref: "pkg:bitnami/postgresql@15.3.0", + Licenses: []string{"PostgreSQL"}, + }, + { + Name: "proj", + Version: "6.3.2", + Ref: "pkg:bitnami/proj@6.3.2", + Licenses: []string{"MIT"}, + }, + }, + }, + }, + }, + wantErr: require.NoError, + }, + { + name: "invalid spdx file", + file: "testdata/invalid_spdx.json", + filePath: "opt/bitnami/elasticsearch/.spdx-elasticsearch.spdx", + want: nil, + wantErr: require.Error, }, } for _, tt := range tests { @@ -86,10 +154,14 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) { a := sbomAnalyzer{} got, err := a.Analyze(context.Background(), analyzer.AnalysisInput{ - FilePath: "opt/bitnami/.spdx-elasticsearch.spdx", + FilePath: tt.filePath, Content: f, }) tt.wantErr(t, err) + + if got != nil { + got.Sort() + } assert.Equal(t, tt.want, got) }) } diff --git a/pkg/fanal/analyzer/sbom/testdata/elasticsearch.spdx.json b/pkg/fanal/analyzer/sbom/testdata/elasticsearch.spdx.json new file mode 100644 index 000000000000..155d7de903f2 --- /dev/null +++ b/pkg/fanal/analyzer/sbom/testdata/elasticsearch.spdx.json @@ -0,0 +1,150 @@ +{ + "SPDXID": "SPDXRef-elasticsearch", + "spdxVersion": "SPDX-2.3", + "creationInfo": { + "created": "2023-08-18T20:09:40.708Z", + "creators": [ + "Organization: VMware, Inc." + ] + }, + "name": "SPDX document for Elasticsearch 8.9.1", + "dataLicense": "CC0-1.0", + "documentDescribes": [ + "SPDXRef-elasticsearch" + ], + "documentNamespace": "elasticsearch-8.9.1", + "packages": [ + { + "SPDXID": "SPDXRef-elasticsearch", + "name": "Elasticsearch", + "versionInfo": "8.9.1", + "downloadLocation": "https://github.com/elastic/elasticsearch/archive/v8.9.1.tar.gz", + "licenseConcluded": "Elastic-2.0", + "licenseDeclared": "Elastic-2.0", + "filesAnalyzed": false, + "externalRefs": [ + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:*:elastic:elasticsearch:8.9.1:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "PACKAGE_MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:bitnami/elasticsearch@8.9.1?arch=arm64" + } + ], + "copyrightText": "NOASSERTION" + }, + { + "name": "jar", + "SPDXID": "SPDXRef-Application-150e605f5f17224d", + "downloadLocation": "NONE", + "sourceInfo": "Java", + "copyrightText": "NOASSERTION", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "filesAnalyzed": false + }, + { + "name": "co.elastic.apm:apm-agent", + "SPDXID": "SPDXRef-Package-f0db45781e6813a1", + "versionInfo": "1.36.0", + "supplier": "NOASSERTION", + "downloadLocation": "NONE", + "licenseConcluded": "NONE", + "licenseDeclared": "NONE", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE_MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:maven/co.elastic.apm/apm-agent@1.36.0" + } + ], + "filesAnalyzed": false + }, + { + "name": "co.elastic.apm:apm-agent-cached-lookup-key", + "SPDXID": "SPDXRef-Package-efe22bf5916f985f", + "versionInfo": "1.36.0", + "supplier": "NOASSERTION", + "downloadLocation": "NONE", + "licenseConcluded": "NONE", + "licenseDeclared": "NONE", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE_MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:maven/co.elastic.apm/apm-agent-cached-lookup-key@1.36.0" + } + ], + "filesAnalyzed": false + }, + { + "name": "co.elastic.apm:apm-agent-common", + "SPDXID": "SPDXRef-Package-33d86d2d11abe114", + "versionInfo": "1.36.0", + "supplier": "NOASSERTION", + "downloadLocation": "NONE", + "licenseConcluded": "NONE", + "licenseDeclared": "NONE", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE_MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:maven/co.elastic.apm/apm-agent-common@1.36.0" + } + ], + "filesAnalyzed": false + }, + { + "name": "co.elastic.apm:apm-agent-core", + "SPDXID": "SPDXRef-Package-b905fcf69ca61281", + "versionInfo": "1.36.0", + "supplier": "NOASSERTION", + "downloadLocation": "NONE", + "licenseConcluded": "NONE", + "licenseDeclared": "NONE", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE_MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:maven/co.elastic.apm/apm-agent-core@1.36.0" + } + ], + "filesAnalyzed": false + } + ], + "files": [], + "relationships": [ + { + "spdxElementId": "SPDXRef-elasticsearch", + "relationshipType": "CONTAINS", + "relatedSpdxElement": "SPDXRef-Application-150e605f5f17224d" + }, + { + "spdxElementId": "SPDXRef-Application-150e605f5f17224d", + "relatedSpdxElement": "SPDXRef-Package-f0db45781e6813a1", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-Application-150e605f5f17224d", + "relatedSpdxElement": "SPDXRef-Package-efe22bf5916f985f", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-Application-150e605f5f17224d", + "relatedSpdxElement": "SPDXRef-Package-33d86d2d11abe114", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-Application-150e605f5f17224d", + "relatedSpdxElement": "SPDXRef-Package-b905fcf69ca61281", + "relationshipType": "CONTAINS" + } + ] +} diff --git a/pkg/fanal/analyzer/sbom/testdata/postgresql.spdx.json b/pkg/fanal/analyzer/sbom/testdata/postgresql.spdx.json new file mode 100644 index 000000000000..ec9860bb0109 --- /dev/null +++ b/pkg/fanal/analyzer/sbom/testdata/postgresql.spdx.json @@ -0,0 +1,120 @@ +{ + "SPDXID": "SPDXRef-postgresql", + "spdxVersion": "SPDX-2.3", + "creationInfo": { + "created": "2023-07-13T19:24:23.609Z", + "creators": [ + "Organization: VMware, Inc." + ] + }, + "name": "SPDX document for PostgreSQL 15.3.0", + "dataLicense": "CC0-1.0", + "documentDescribes": [ + "SPDXRef-postgresql" + ], + "documentNamespace": "postgresql-15.3.0", + "packages": [ + { + "SPDXID": "SPDXRef-postgresql", + "name": "PostgreSQL", + "versionInfo": "15.3.0", + "downloadLocation": "https://ftp.postgresql.org/pub/source/v15.3/postgresql-15.3.tar.gz", + "licenseConcluded": "PostgreSQL", + "licenseDeclared": "PostgreSQL", + "filesAnalyzed": false, + "externalRefs": [ + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:*:postgresql:postgresql:15.3.0:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:bitnami/postgresql@15.3.0" + } + ] + }, + { + "SPDXID": "SPDXRef-geos", + "name": "GEOS", + "versionInfo": "3.8.3", + "downloadLocation": "https://github.com/libgeos/geos/archive/3.8.3.tar.gz", + "licenseConcluded": "LGPL-2.1-only", + "licenseDeclared": "LGPL-2.1-only", + "filesAnalyzed": false, + "externalRefs": [ + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:*:libgeos:geos:3.8.3:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:bitnami/geos@3.8.3" + } + ] + }, + { + "SPDXID": "SPDXRef-proj", + "name": "Proj", + "versionInfo": "6.3.2", + "downloadLocation": "https://github.com/OSGeo/PROJ/archive/6.3.2.tar.gz", + "licenseConcluded": "MIT", + "licenseDeclared": "MIT", + "filesAnalyzed": false, + "externalRefs": [ + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:*:proj:proj:6.3.2:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:bitnami/proj@6.3.2" + } + ] + }, + { + "SPDXID": "SPDXRef-gdal", + "name": "GDAL", + "versionInfo": "3.7.1", + "downloadLocation": "https://github.com/OSGeo/gdal/releases/download/v3.7.1/gdal-3.7.1.tar.gz", + "licenseConcluded": "MIT", + "licenseDeclared": "MIT", + "filesAnalyzed": false, + "externalRefs": [ + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:*:osgeo:gdal:3.7.1:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:bitnami/gdal@3.7.1" + } + ] + } + ], + "files": [], + "relationships": [ + { + "spdxElementId": "SPDXRef-postgresql", + "relationshipType": "CONTAINS", + "relatedSpdxElement": "SPDXRef-geos" + }, + { + "spdxElementId": "SPDXRef-postgresql", + "relationshipType": "CONTAINS", + "relatedSpdxElement": "SPDXRef-proj" + }, + { + "spdxElementId": "SPDXRef-postgresql", + "relationshipType": "CONTAINS", + "relatedSpdxElement": "SPDXRef-gdal" + } + ] +} diff --git a/pkg/fanal/analyzer/sbom/testdata/spdx.json b/pkg/fanal/analyzer/sbom/testdata/spdx.json deleted file mode 100644 index 16495c54e1df..000000000000 --- a/pkg/fanal/analyzer/sbom/testdata/spdx.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "SPDXID": "SPDXRef-elasticsearch", - "spdxVersion": "SPDX-2.3", - "creationInfo": { - "created": "2023-05-17T15:59:30.511Z", - "creators": [ - "Organization: VMware, Inc." - ] - }, - "name": "SPDX document for Elasticsearch 8.7.1", - "dataLicense": "CC0-1.0", - "documentDescribes": [ - "SPDXRef-elasticsearch" - ], - "documentNamespace": "elasticsearch-8.7.1", - "packages": [ - { - "SPDXID": "SPDXRef-elasticsearch", - "name": "Elasticsearch", - "versionInfo": "8.7.1", - "downloadLocation": "https://github.com/elastic/elasticsearch/archive/v8.7.1.tar.gz", - "licenseConcluded": "Elastic-2.0", - "licenseDeclared": "Elastic-2.0", - "filesAnalyzed": false, - "externalRefs": [ - { - "referenceCategory": "SECURITY", - "referenceType": "cpe23Type", - "referenceLocator": "cpe:2.3:*:elasticsearch:elasticsearch:8.7.1:*:*:*:*:*:*:*" - } - ] - }, - { - "name": "co.elastic.apm:apm-agent", - "SPDXID": "SPDXRef-Package-d6465ccdd5385c16", - "versionInfo": "1.36.0", - "supplier": "NOASSERTION", - "downloadLocation": "NONE", - "licenseConcluded": "NONE", - "licenseDeclared": "NONE", - "copyrightText": "", - "externalRefs": [ - { - "referenceCategory": "PACKAGE-MANAGER", - "referenceType": "purl", - "referenceLocator": "pkg:maven/co.elastic.apm/apm-agent@1.36.0" - } - ], - "primaryPackagePurpose": "LIBRARY", - "files": [ - { - "fileName":"modules/apm/elastic-apm-agent-1.36.0.jar", - "SPDXID": "SPDXRef-File-4d457bf4ff3526ea", - "checksums": [ - { - "algorithm": "SHA1", - "checksumValue": "d2a9ad9b159eb650d25add9395c4f4198f200066" - } - ], - "copyrightText": "" - } - ] - }, - { - "name": "co.elastic.apm:apm-agent-cached-lookup-key", - "SPDXID": "SPDXRef-Package-8e3a2cf58d7bd790", - "versionInfo": "1.36.0", - "supplier": "NOASSERTION", - "downloadLocation": "NONE", - "licenseConcluded": "NONE", - "licenseDeclared": "NONE", - "copyrightText": "", - "externalRefs": [ - { - "referenceCategory": "PACKAGE-MANAGER", - "referenceType": "purl", - "referenceLocator": "pkg:maven/co.elastic.apm/apm-agent-cached-lookup-key@1.36.0" - } - ], - "primaryPackagePurpose": "LIBRARY", - "files": [ - { - "fileName": "modules/apm/elastic-apm-agent-1.36.0.jar", - "SPDXID": "SPDXRef-File-4d457bf4ff3526ea", - "checksums": [ - { - "algorithm": "SHA1", - "checksumValue": "d2a9ad9b159eb650d25add9395c4f4198f200066" - } - ], - "copyrightText": "" - } - ] - } - ], - "files": [] -} \ No newline at end of file diff --git a/pkg/fanal/types/const.go b/pkg/fanal/types/const.go index 4a8e9f49c89f..faaece10fb7d 100644 --- a/pkg/fanal/types/const.go +++ b/pkg/fanal/types/const.go @@ -34,6 +34,7 @@ const ( Swift = "swift" Pub = "pub" Hex = "hex" + Bitnami = "bitnami" // Config files YAML = "yaml" diff --git a/pkg/purl/purl.go b/pkg/purl/purl.go index fa7ea391129e..2ab2e4e49c5c 100644 --- a/pkg/purl/purl.go +++ b/pkg/purl/purl.go @@ -129,6 +129,8 @@ func (p *PackageURL) PackageType() string { return ftypes.Conan case TypeDart: // TODO: replace with packageurl.TypeDart once they add it. return ftypes.Pub + case packageurl.TypeBitnami: + return ftypes.Bitnami } return p.Type } diff --git a/pkg/sbom/cyclonedx/core/cyclonedx_test.go b/pkg/sbom/cyclonedx/core/cyclonedx_test.go index 025a2871c491..c147b74247df 100644 --- a/pkg/sbom/cyclonedx/core/cyclonedx_test.go +++ b/pkg/sbom/cyclonedx/core/cyclonedx_test.go @@ -293,7 +293,7 @@ func TestMarshaler_CoreComponent(t *testing.T) { }, }, { - BOMRef: "pkg:oci/kube-apiserver@sha256:18e61c783b41758dd391ab901366ec3546b26fae00eef7e223d1f94da808e02f?repository_url=k8s.gcr.io%2Fkube-apiserver&arch=", + BOMRef: "pkg:oci/kube-apiserver@sha256%3A18e61c783b41758dd391ab901366ec3546b26fae00eef7e223d1f94da808e02f?arch=&repository_url=k8s.gcr.io%2Fkube-apiserver", Hashes: &[]cdx.Hash{ { Algorithm: "SHA-256", @@ -303,7 +303,7 @@ func TestMarshaler_CoreComponent(t *testing.T) { Type: "container", Name: "k8s.gcr.io/kube-apiserver", Version: "sha256:18e61c783b41758dd391ab901366ec3546b26fae00eef7e223d1f94da808e02f", - PackageURL: "pkg:oci/kube-apiserver@sha256:18e61c783b41758dd391ab901366ec3546b26fae00eef7e223d1f94da808e02f?repository_url=k8s.gcr.io%2Fkube-apiserver&arch=", + PackageURL: "pkg:oci/kube-apiserver@sha256%3A18e61c783b41758dd391ab901366ec3546b26fae00eef7e223d1f94da808e02f?arch=&repository_url=k8s.gcr.io%2Fkube-apiserver", Properties: &[]cdx.Property{ { Name: "aquasecurity:trivy:PkgID", @@ -326,7 +326,7 @@ func TestMarshaler_CoreComponent(t *testing.T) { }, { Ref: "3ff14136-e09f-4df9-80ea-000000000003", - Dependencies: &[]string{"pkg:oci/kube-apiserver@sha256:18e61c783b41758dd391ab901366ec3546b26fae00eef7e223d1f94da808e02f?repository_url=k8s.gcr.io%2Fkube-apiserver&arch="}, + Dependencies: &[]string{"pkg:oci/kube-apiserver@sha256%3A18e61c783b41758dd391ab901366ec3546b26fae00eef7e223d1f94da808e02f?arch=&repository_url=k8s.gcr.io%2Fkube-apiserver"}, }, { Ref: "3ff14136-e09f-4df9-80ea-000000000004", @@ -355,7 +355,7 @@ func TestMarshaler_CoreComponent(t *testing.T) { Dependencies: &noDepRefs, }, { - Ref: "pkg:oci/kube-apiserver@sha256:18e61c783b41758dd391ab901366ec3546b26fae00eef7e223d1f94da808e02f?repository_url=k8s.gcr.io%2Fkube-apiserver&arch=", + Ref: "pkg:oci/kube-apiserver@sha256%3A18e61c783b41758dd391ab901366ec3546b26fae00eef7e223d1f94da808e02f?arch=&repository_url=k8s.gcr.io%2Fkube-apiserver", Dependencies: &noDepRefs, }, }, diff --git a/pkg/sbom/cyclonedx/marshal_test.go b/pkg/sbom/cyclonedx/marshal_test.go index 6c76a592e83f..fe791509d2de 100644 --- a/pkg/sbom/cyclonedx/marshal_test.go +++ b/pkg/sbom/cyclonedx/marshal_test.go @@ -191,8 +191,8 @@ func TestMarshaler_Marshal(t *testing.T) { }, Component: &cdx.Component{ Type: cdx.ComponentTypeContainer, - BOMRef: "pkg:oci/rails@sha256:a27fd8080b517143cbbbab9dfb7c8571c40d67d534bbdee55bd6c473f432b177?repository_url=index.docker.io%2Flibrary%2Frails&arch=arm64", - PackageURL: "pkg:oci/rails@sha256:a27fd8080b517143cbbbab9dfb7c8571c40d67d534bbdee55bd6c473f432b177?repository_url=index.docker.io%2Flibrary%2Frails&arch=arm64", + BOMRef: "pkg:oci/rails@sha256%3Aa27fd8080b517143cbbbab9dfb7c8571c40d67d534bbdee55bd6c473f432b177?arch=arm64&repository_url=index.docker.io%2Flibrary%2Frails", + PackageURL: "pkg:oci/rails@sha256%3Aa27fd8080b517143cbbbab9dfb7c8571c40d67d534bbdee55bd6c473f432b177?arch=arm64&repository_url=index.docker.io%2Flibrary%2Frails", Name: "rails:latest", Properties: &[]cdx.Property{ { @@ -464,7 +464,7 @@ func TestMarshaler_Marshal(t *testing.T) { Dependencies: lo.ToPtr([]string{}), }, { - Ref: "pkg:oci/rails@sha256:a27fd8080b517143cbbbab9dfb7c8571c40d67d534bbdee55bd6c473f432b177?repository_url=index.docker.io%2Flibrary%2Frails&arch=arm64", + Ref: "pkg:oci/rails@sha256%3Aa27fd8080b517143cbbbab9dfb7c8571c40d67d534bbdee55bd6c473f432b177?arch=arm64&repository_url=index.docker.io%2Flibrary%2Frails", Dependencies: &[]string{ "3ff14136-e09f-4df9-80ea-000000000002", "3ff14136-e09f-4df9-80ea-000000000003", @@ -823,7 +823,7 @@ func TestMarshaler_Marshal(t *testing.T) { }, }, { - BOMRef: "pkg:rpm/centos/acl@2.2.53-1.el8?arch=aarch64&epoch=1&distro=centos-8.3.2011", + BOMRef: "pkg:rpm/centos/acl@2.2.53-1.el8?arch=aarch64&distro=centos-8.3.2011&epoch=1", Type: cdx.ComponentTypeLibrary, Name: "acl", Version: "2.2.53-1.el8", @@ -834,7 +834,7 @@ func TestMarshaler_Marshal(t *testing.T) { }, }, }, - PackageURL: "pkg:rpm/centos/acl@2.2.53-1.el8?arch=aarch64&epoch=1&distro=centos-8.3.2011", + PackageURL: "pkg:rpm/centos/acl@2.2.53-1.el8?arch=aarch64&distro=centos-8.3.2011&epoch=1", Properties: &[]cdx.Property{ { Name: "aquasecurity:trivy:PkgID", @@ -923,7 +923,7 @@ func TestMarshaler_Marshal(t *testing.T) { { Ref: "3ff14136-e09f-4df9-80ea-000000000003", Dependencies: &[]string{ - "pkg:rpm/centos/acl@2.2.53-1.el8?arch=aarch64&epoch=1&distro=centos-8.3.2011", + "pkg:rpm/centos/acl@2.2.53-1.el8?arch=aarch64&distro=centos-8.3.2011&epoch=1", // Trivy is unable to identify the direct OS packages as of today. "pkg:rpm/centos/glibc@2.28-151.el8?arch=aarch64&distro=centos-8.3.2011", }, @@ -937,7 +937,7 @@ func TestMarshaler_Marshal(t *testing.T) { Dependencies: lo.ToPtr([]string{}), }, { - Ref: "pkg:rpm/centos/acl@2.2.53-1.el8?arch=aarch64&epoch=1&distro=centos-8.3.2011", + Ref: "pkg:rpm/centos/acl@2.2.53-1.el8?arch=aarch64&distro=centos-8.3.2011&epoch=1", Dependencies: &[]string{ "pkg:rpm/centos/glibc@2.28-151.el8?arch=aarch64&distro=centos-8.3.2011", }, diff --git a/pkg/sbom/spdx/marshal_test.go b/pkg/sbom/spdx/marshal_test.go index 3cbdbe226b76..a0e9e0c21ded 100644 --- a/pkg/sbom/spdx/marshal_test.go +++ b/pkg/sbom/spdx/marshal_test.go @@ -209,7 +209,7 @@ func TestMarshaler_Marshal(t *testing.T) { { Category: tspdx.CategoryPackageManager, RefType: tspdx.RefTypePurl, - Locator: "pkg:oci/rails@sha256:a27fd8080b517143cbbbab9dfb7c8571c40d67d534bbdee55bd6c473f432b177?repository_url=index.docker.io%2Flibrary%2Frails&arch=arm64", + Locator: "pkg:oci/rails@sha256%3Aa27fd8080b517143cbbbab9dfb7c8571c40d67d534bbdee55bd6c473f432b177?arch=arm64&repository_url=index.docker.io%2Flibrary%2Frails", }, }, PackageAttributionTexts: []string{ @@ -370,7 +370,7 @@ func TestMarshaler_Marshal(t *testing.T) { { Category: tspdx.CategoryPackageManager, RefType: tspdx.RefTypePurl, - Locator: "pkg:rpm/centos/acl@2.2.53-1.el8?arch=aarch64&epoch=1&distro=centos-8.3.2011", + Locator: "pkg:rpm/centos/acl@2.2.53-1.el8?arch=aarch64&distro=centos-8.3.2011&epoch=1", }, }, PackageSourceInfo: "built package from: acl 1:2.2.53-1.el8", diff --git a/pkg/sbom/spdx/unmarshal.go b/pkg/sbom/spdx/unmarshal.go index 46f02125b496..3319410213a6 100644 --- a/pkg/sbom/spdx/unmarshal.go +++ b/pkg/sbom/spdx/unmarshal.go @@ -5,6 +5,7 @@ import ( "errors" "fmt" "io" + "sort" "strings" version "github.com/knqyf263/go-rpm-version" @@ -73,6 +74,9 @@ func (s *SPDX) unmarshal(spdxDocument *spdx.Document) error { packageSPDXIdentifierMap := createPackageSPDXIdentifierMap(spdxDocument.Packages) packageFilePaths := getPackageFilePaths(spdxDocument) + // Hold packages that are not processed by relationships + orphanPkgs := createPackageSPDXIdentifierMap(spdxDocument.Packages) + relationships := lo.Filter(spdxDocument.Relationships, func(rel *spdx.Relationship, _ int) bool { // Skip the DESCRIBES relationship. return rel.Relationship != common.TypeRelationshipDescribe && rel.Relationship != "DESCRIBE" @@ -90,8 +94,8 @@ func (s *SPDX) unmarshal(spdxDocument *spdx.Document) error { // - Python package A // - Python package B for _, rel := range relationships { - pkgA := packageSPDXIdentifierMap[string(rel.RefA.ElementRefID)] - pkgB := packageSPDXIdentifierMap[string(rel.RefB.ElementRefID)] + pkgA := packageSPDXIdentifierMap[rel.RefA.ElementRefID] + pkgB := packageSPDXIdentifierMap[rel.RefB.ElementRefID] if pkgA == nil || pkgB == nil { // Skip the missing pkg relationship. @@ -102,6 +106,7 @@ func (s *SPDX) unmarshal(spdxDocument *spdx.Document) error { // Relationship: root package => OS case isOperatingSystem(pkgB.PackageSPDXIdentifier): s.SBOM.OS = parseOS(*pkgB) + delete(orphanPkgs, pkgB.PackageSPDXIdentifier) // Relationship: OS => OS package case isOperatingSystem(pkgA.PackageSPDXIdentifier): pkg, _, err := parsePkg(*pkgB, packageFilePaths) @@ -111,6 +116,7 @@ func (s *SPDX) unmarshal(spdxDocument *spdx.Document) error { return xerrors.Errorf("failed to parse os package: %w", err) } osPkgs = append(osPkgs, *pkg) + delete(orphanPkgs, pkgB.PackageSPDXIdentifier) // Relationship: root package => application case isApplication(pkgB.PackageSPDXIdentifier): // pass @@ -129,6 +135,10 @@ func (s *SPDX) unmarshal(spdxDocument *spdx.Document) error { return xerrors.Errorf("failed to parse language-specific package: %w", err) } app.Libraries = append(app.Libraries, *lib) + + // They are no longer orphan packages + delete(orphanPkgs, pkgA.PackageSPDXIdentifier) + delete(orphanPkgs, pkgB.PackageSPDXIdentifier) } } @@ -143,10 +153,8 @@ func (s *SPDX) unmarshal(spdxDocument *spdx.Document) error { } // Fallback for when there are no effective relationships. - if len(relationships) == 0 { - if err := s.parsePackages(spdxDocument); err != nil { - return err - } + if err := s.parsePackages(orphanPkgs); err != nil { + return err } // Keep the original document @@ -156,13 +164,13 @@ func (s *SPDX) unmarshal(spdxDocument *spdx.Document) error { // parsePackages processes the packages and categorizes them into OS packages and application packages. // Note that all language-specific packages are treated as a single application. -func (s *SPDX) parsePackages(spdxDocument *spdx.Document) error { +func (s *SPDX) parsePackages(pkgs map[common.ElementID]*spdx.Package) error { var ( osPkgs []ftypes.Package - app ftypes.Application + apps = map[string]ftypes.Application{} ) - for _, p := range spdxDocument.Packages { + for _, p := range pkgs { pkg, pkgType, err := parsePkg(*p, nil) if errors.Is(err, errUnknownPackageFormat) { continue @@ -174,27 +182,28 @@ func (s *SPDX) parsePackages(spdxDocument *spdx.Document) error { osPkgs = append(osPkgs, *pkg) default: // Language-specific packages - if app.Type == "" { + app, ok := apps[pkgType] + if !ok { app.Type = pkgType } app.Libraries = append(app.Libraries, *pkg) + apps[pkgType] = app } } if len(osPkgs) > 0 { s.Packages = []ftypes.PackageInfo{{Packages: osPkgs}} } - if len(app.Libraries) > 0 { + for _, app := range apps { + sort.Sort(app.Libraries) s.SBOM.Applications = append(s.SBOM.Applications, app) } return nil } -func createPackageSPDXIdentifierMap(packages []*spdx.Package) map[string]*spdx.Package { - ret := make(map[string]*spdx.Package) - for _, info := range packages { - ret[string(info.PackageSPDXIdentifier)] = info - } - return ret +func createPackageSPDXIdentifierMap(packages []*spdx.Package) map[common.ElementID]*spdx.Package { + return lo.SliceToMap(packages, func(pkg *spdx.Package) (common.ElementID, *spdx.Package) { + return pkg.PackageSPDXIdentifier, pkg + }) } func createFileSPDXIdentifierMap(files []*spdx.File) map[string]*spdx.File { @@ -218,14 +227,14 @@ func isFile(elementID spdx.ElementID) bool { } func initApplication(pkg spdx.Package) *ftypes.Application { - app := &ftypes.Application{ - Type: pkg.PackageName, - FilePath: pkg.PackageSourceInfo, - } - if pkg.PackageName == ftypes.NodePkg || pkg.PackageName == ftypes.PythonPkg || - pkg.PackageName == ftypes.GemSpec || pkg.PackageName == ftypes.Jar || pkg.PackageName == ftypes.CondaPkg { + app := &ftypes.Application{Type: pkg.PackageName} + switch pkg.PackageName { + case ftypes.NodePkg, ftypes.PythonPkg, ftypes.GemSpec, ftypes.Jar, ftypes.CondaPkg: app.FilePath = "" + default: + app.FilePath = pkg.PackageSourceInfo } + return app }