Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(sbom): attach nested packages to Application #8144

Merged
merged 8 commits into from
Dec 24, 2024

Conversation

DmitriyLewen
Copy link
Contributor

Description

There is a problem with decoding nested packages.
We create 2 attachments for them (see #8143).

This PR recursively checks all related packages and associates them with an attachment.

Example (test file packages:
Before:

➜ trivy -q rootfs -f cyclonedx -o report.cdx.json ./pkg/dependency/parser/golang/binary/testdata/test.elf && trivy -q sbom ./report.cdx.json -f json --list-all-pkgs | grep Target 
      "Target": "",
      "Target": "test.elf",

After:

➜ trivy -q rootfs -f cyclonedx -o report.cdx.json ./pkg/dependency/parser/golang/binary/testdata/test.elf && ./trivy -q sbom ./report.cdx.json -f json --list-all-pkgs | grep Target
      "Target": "test.elf",

Related issues

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@DmitriyLewen DmitriyLewen self-assigned this Dec 20, 2024
@DmitriyLewen DmitriyLewen marked this pull request as ready for review December 20, 2024 11:40
@knqyf263
Copy link
Collaborator

knqyf263 commented Dec 24, 2024

@DmitriyLewen I've added three changes to prevent potential issues:

  1. Recursive Processing for OS Packages:
    • Added recursive processing for OS packages to prevent future bugs
    • This preemptive change ensures consistency with language-specific package handling
    • Without this change, future modifications to OS package handling could lead to incomplete dependency resolution

2. Infinite Loop Prevention:

  • Implemented cycle detection using a visited packages map
  • Each package is now processed only once to prevent infinite recursion

3. Package Duplication Resolution:

  • Previous versions of Trivy could output SBOMs where the same package appears multiple times in the dependency tree
  • This was due to packages with unknown relationships being added under applications (This behavior was changed in fix(sbom): use root package for unknown dependencies (if exists) #8104)
  • The cycle detection mechanism (change No.2) also resolves this package duplication issue

Please verify these changes maintain the expected behavior while addressing the identified issues.

pkg/sbom/io/decode.go Outdated Show resolved Hide resolved
Signed-off-by: knqyf263 <[email protected]>
@DmitriyLewen
Copy link
Contributor Author

Thank you for handling the OS packages.
I didn't think about them.

Looks good now 👍

Please verify these changes maintain the expected behavior while addressing the identified issues.

It works as expected.
Approve the PR if you have no other changes.

@knqyf263 knqyf263 added this pull request to the merge queue Dec 24, 2024
Merged via the queue into aquasecurity:main with commit 735335f Dec 24, 2024
12 checks passed
@DmitriyLewen DmitriyLewen deleted the fix/sbom-nested-pkgs branch December 24, 2024 07:57
@DmitriyLewen
Copy link
Contributor Author

@aqua-bot backport release/v0.58

github-actions bot pushed a commit that referenced this pull request Dec 24, 2024
@aqua-bot
Copy link
Contributor

Backport PR created: #8168

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

bug(sbom): multiple Results for one package with root relationship for sbom mode
3 participants