Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug(bom): overwrite epoch if srcEpoch is 0 #6865

Closed
DmitriyLewen opened this issue Jun 6, 2024 · 0 comments · Fixed by #6866
Closed

bug(bom): overwrite epoch if srcEpoch is 0 #6865

DmitriyLewen opened this issue Jun 6, 2024 · 0 comments · Fixed by #6866
Assignees
@DmitriyLewen
Labels
kind/bug Categorizes issue or PR as related to a bug. scan/sbom Issues relating to SBOM

Comments

@DmitriyLewen
Copy link
Contributor

DmitriyLewen commented Jun 6, 2024
edited
Loading

Description

There are cases when pkg.epoch is not 0, but pkg.srcEpoch in 0.
e.g.:

root@2ffdd2cb0e31:/# cat /var/lib/dpkg/status | grep bsdutils -A 18
Package: bsdutils
Essential: yes
Status: install ok installed
Priority: required
Section: utils
Installed-Size: 356
Maintainer: util-linux packagers <[email protected]>
Architecture: amd64
Multi-Arch: foreign
Source: util-linux (2.38.1-5)
Version: 1:2.38.1-5+b1
Pre-Depends: libc6 (>= 2.34), libsystemd0
Recommends: bsdextrautils
Description: basic utilities from 4.4BSD-Lite
 This package contains the bare minimum of BSD utilities needed for a Debian
 system: logger, renice, script, scriptlive, scriptreplay and wall. The
 remaining standard BSD utilities are provided by bsdextrautils.
Homepage: https://www.kernel.org/pub/linux/utils/util-linux/

In this case, in sbom mode we overwrite epoch(take epoch from pkg.epoch).

example:

➜ trivy -q image python:3.12.2 -f json --list-all-pkgs | jq '.Results[].Packages[] | select(.Name=="bsdutils")'
{
  "ID": "bsdutils@1:2.38.1-5+b1",
  "Name": "bsdutils",
  "Identifier": {
    "PURL": "pkg:deb/debian/[email protected]%2Bb1?arch=amd64&distro=debian-12.5&epoch=1",
    "UID": "fbbe7b0a3cbb79a3"
  },
  "Version": "2.38.1",
  "Release": "5+b1",
  "Epoch": 1,
  "Arch": "amd64",
  "SrcName": "util-linux",
  "SrcVersion": "2.38.1",
  "SrcRelease": "5",
  "Licenses": [
    ...
  ],
  "Maintainer": "util-linux packagers <[email protected]>",
  "Layer": {
    "DiffID": "sha256:0238a17903242951b944d01ab189a30ac237c715121f14565a2af8b078415d97"
  }
}
➜ trivy -q image python:3.12.2 -f cyclonedx -o report.cdx.json                                                 
➜ trivy -q sbom report.cdx.json -f json --list-all-pkgs | jq '.Results[].Packages[] | select(.Name=="bsdutils")'
{
  "ID": "bsdutils@1:2.38.1-5+b1",
  "Name": "bsdutils",
  "Identifier": {
    "PURL": "pkg:deb/debian/[email protected]%2Bb1?arch=amd64&distro=debian-12.5&epoch=1",
    "UID": "7f314baaeb4c1961",
    "BOMRef": "pkg:deb/debian/[email protected]%2Bb1?arch=amd64&distro=debian-12.5&epoch=1"
  },
  "Version": "2.38.1-5+b1",
  "Epoch": 1,
  "Arch": "amd64",
  "SrcName": "util-linux",
  "SrcVersion": "2.38.1",
  "SrcRelease": "5",
  "SrcEpoch": 1,
  "Licenses": [
    ...
  ],
  "Layer": {}
}
@DmitriyLewen DmitriyLewen added kind/bug Categorizes issue or PR as related to a bug. scan/sbom Issues relating to SBOM labels Jun 6, 2024
@DmitriyLewen DmitriyLewen self-assigned this Jun 6, 2024
@DmitriyLewen DmitriyLewen mentioned this issue Jun 6, 2024
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DmitriyLewen DmitriyLewen

Labels
kind/bug Categorizes issue or PR as related to a bug. scan/sbom Issues relating to SBOM
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(sbom): don't overwrite srcEpoch when decoding SBOM files DmitriyLewen/trivy
1 participant
@DmitriyLewen