Thanks to visit codestin.com
Credit goes to github.com

Skip to content
This repository was archived by the owner on Jan 27, 2023. It is now read-only.

Filter packages that are "owned" by other packages #917

Merged
merged 1 commit into from
Mar 2, 2021
Merged

Filter packages that are "owned" by other packages #917

merged 1 commit into from
Mar 2, 2021

Conversation

@wagoodman
Copy link
Contributor

@wagoodman wagoodman commented Feb 17, 2021
edited
Loading

What this PR does / why we need it:
Today engine will perform vulnerability matching for all packages discovered within a image, even if a given package is really "owned" by a parent package (e.g. An RPM has packaged within it a Python wheel that gets installed, the RPM is the "owner" of the wheel package). In these cases the parent package should be used for vulnerability matching and the child should be ignored (see #315 , #445 , and #460).

This PR bumps the syft version that labels relations between packages + adds a filter to the SBOM report to exclude packages that are owned by other packages.

Additionally this PR allows for additional attributes on image import, enabling schema additions to not cause a 400 to be returned.

Which issue this PR fixes
Fixes #445 , Fixes #460

Tasks:

@wagoodman wagoodman self-assigned this Feb 17, 2021
@wagoodman wagoodman force-pushed the package-relations branch 5 times, most recently from 15d8c71 to 93c0989 Compare February 22, 2021 17:03
alfredodeza
alfredodeza reviewed Feb 22, 2021
View reviewed changes
@wagoodman wagoodman force-pushed the package-relations branch 2 times, most recently from c4e92e2 to a39b96b Compare February 26, 2021 21:42
@wagoodman wagoodman changed the base branch from master to v0.9.2-dev February 26, 2021 21:43
@wagoodman wagoodman force-pushed the package-relations branch 2 times, most recently from 9048d74 to 03b7581 Compare February 26, 2021 21:48
@wagoodman wagoodman changed the title [WIP] Filter packages that are "owned" by other packages Filter packages that are "owned" by other packages Feb 26, 2021
@wagoodman wagoodman marked this pull request as ready for review February 26, 2021 21:59
@zhill
Copy link
Member

zhill commented Feb 28, 2021

I resolved the conflict on the Dockerfile, and that should also merge in the jsonschema fix causing the CI failure

@wagoodman wagoodman force-pushed the package-relations branch from 1ec0e46 to c29a367 Compare March 2, 2021 13:17
alfredodeza
alfredodeza approved these changes Mar 2, 2021
View reviewed changes
Copy link
Contributor

@alfredodeza alfredodeza left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A couple of minor comments. This is good as-is. Feel free to update or merge

@wagoodman wagoodman force-pushed the package-relations branch from c29a367 to 90ca9bb Compare March 2, 2021 17:16
@wagoodman wagoodman merged commit ab093cb into v0.9.2-dev Mar 2, 2021
@wagoodman wagoodman deleted the package-relations branch March 2, 2021 18:36
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@zhill zhill Awaiting requested review from zhill

@luhring luhring Awaiting requested review from luhring

1 more reviewer

@alfredodeza alfredodeza alfredodeza approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@wagoodman wagoodman

Labels

None yet

Projects

None yet

Milestone

No milestone

4 participants

@wagoodman @zhill @alfredodeza