Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

remove other relationship from syft generated rpm sboms #35

Merged
merged 2 commits into from
Oct 29, 2024
Merged

remove other relationship from syft generated rpm sboms #35

merged 2 commits into from
Oct 29, 2024

Conversation

jasinner
Copy link
Contributor

@jasinner jasinner commented Oct 9, 2024
edited
Loading

By default Syft generates SPDX Documents where embedded dependencies discovered in a go.mod file have an extra set of 'OTHER' relationships added, in addition to the expected 'CONTAINS' relationship. Let's reduce the number of relationships in the SBOM by removing the 'OTHER' ones.

This also changes the URL used by SourceN packages to use the internal git location if a remote one is not found.

Lastly it add CPE values to RPM release manifest.

@jasinner jasinner marked this pull request as draft October 10, 2024 06:24
@twaugh
Copy link
Collaborator

twaugh commented Oct 10, 2024

Might this end up with packages not referenced by a relationship?

@jasinner jasinner force-pushed the remove-syft-other-relationships branch from 78d88fc to 545b1f9 Compare October 11, 2024 01:46
@jasinner
Copy link
Contributor Author

Might this end up with packages not referenced by a relationship?

I didn't notice earlier but there are 2 relationship types added by Syft. An 'OTHER' relationship which is removed by this PR, and the expected 'CONTAINS' one.

@jasinner jasinner marked this pull request as ready for review October 11, 2024 04:56
@jasinner jasinner force-pushed the remove-syft-other-relationships branch from ea578ef to ef61bbf Compare October 11, 2024 05:01
@mprpic
Copy link
Contributor

mprpic commented Oct 11, 2024

The change to the openshift-pipelines-client is a bit hard to check so I visualized it with spdxshow as:

graph

The internal mirror repo is for some reason shown three times, but the individual Go binaries are only related to one of them. Is this just an issue with the visualizer?

@twaugh
Copy link
Collaborator

twaugh commented Oct 11, 2024

The internal mirror repo is for some reason shown three times, but the individual Go binaries are only related to one of them. Is this just an issue with the visualizer?

I pushed an update to spdxshow to make this clearer. What's happening is that each source archive has the same download URL -- I don't think that's correct.

It's also using unquoted '#' in the download_url qualifier for the purl, which I also think isn't right. The PackageURL module ignores everything after that anchor.

@jasinner jasinner force-pushed the remove-syft-other-relationships branch 2 times, most recently from ab8b775 to de3a070 Compare October 17, 2024 02:52
@jasinner
Copy link
Contributor Author

The internal mirror repo is for some reason shown three times, but the individual Go binaries are only related to one of them. Is this just an issue with the visualizer?

I pushed an update to spdxshow to make this clearer. What's happening is that each source archive has the same download URL -- I don't think that's correct.

It's also using unquoted '#' in the download_url qualifier for the purl, which I also think isn't right. The PackageURL module ignores everything after that anchor.

I pushed another update which follows the openssl the midstream example previously included to include the midstream sources for openshift-pipelines-client as well.

I wasn't able to visualize it with spdx-show because of this issue with graph-viz:

$ python3 spdxshow.py relationships openshift-pipelines-client-1.14.3-11352.el8.spdx.json --no-hints | graph-easy --as=svg > rel.svg
Can't locate Graph/Easy/As_svg.pm in @INC (you may need to install the Graph::Easy::As_svg module) (@INC entries checked: /usr/local/lib64/perl5/5.38 /usr/local/share/perl5/5.38 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5) at /usr/share/perl5/vendor_perl/Graph/Easy.pm line 1752, <STDIN> line 1.

@twaugh
Copy link
Collaborator

twaugh commented Oct 17, 2024

For the spdxshow issue: https://bugzilla.redhat.com/show_bug.cgi?id=458661
For some reason the svg module isn't packaged.

Workaround:

$ spdxshow relationships ... --no-hints | graph-easy --as=dot | dot -Tsvg

@jasinner jasinner force-pushed the remove-syft-other-relationships branch 3 times, most recently from 2e57d3b to 12b705c Compare October 24, 2024 04:00
@jasinner jasinner force-pushed the remove-syft-other-relationships branch from 12b705c to f454aca Compare October 29, 2024 01:28
@mprpic mprpic merged commit 3b994a8 into RedHatProductSecurity:main Oct 29, 2024
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@twaugh twaugh twaugh left review comments

@mprpic mprpic mprpic approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jasinner @twaugh @mprpic