anchore · wagoodman · Mar 2, 2021 · Feb 17, 2021
diff --git a/Dockerfile b/Dockerfile
@@ -46,7 +46,7 @@ RUN set -ex && \
 
 RUN set -ex && \
     echo "installing Syft" && \
-    curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /build_output/deps v0.12.7
+    curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /build_output/deps v0.13.1
 
 # stage RPM dependency binaries
 RUN yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm && \

diff --git a/anchore_engine/analyzers/syft/__init__.py b/anchore_engine/analyzers/syft/__init__.py
@@ -1,12 +1,37 @@
 import collections
 
-from anchore_engine.analyzers.utils import defaultdict_to_dict, content_hints
+from anchore_engine.analyzers.utils import defaultdict_to_dict, content_hints, dig
 from anchore_engine.clients.syft_wrapper import run_syft
 from .handlers import modules_by_artifact_type, modules_by_engine_type
 
 
-def filter_artifacts(artifact):
-    return artifact["type"] in modules_by_artifact_type
+def filter_relationships(relationships, **kwargs):
+    def filter_fn(relationship):
+        for key, expected in kwargs.items():
+            if relationship[key] != expected:
+                return False
+        return True
+
+    return [r for r in relationships if filter_fn(r)]
+
+
+def filter_artifacts(artifacts, relationships):
+    def filter_fn(artifact):
+        # syft may do more work than what is supported in engine, ensure we only include artifacts
+        # of select package types.
+        if artifact["type"] not in modules_by_artifact_type:
+            return False
+
+        # some packages are owned by other packages (e.g. a python package that was installed
+        # from an RPM instead of with pip), filter out any packages that are not "root" packages.
+        if filter_relationships(
+            relationships, child=dig(artifact, "id"), type="ownership-by-file-overlap"
+        ):
+            return False
+
+        return True
+
+    return [a for a in artifacts if filter_fn(a)]
 
 
 def catalog_image(imagedir):
@@ -42,7 +67,10 @@ def convert_syft_to_engine(all_results):
     # take a sub-set of the syft findings and invoke the handler function to
     # craft the artifact document and inject into the "raw" analyzer json
     # document
-    for artifact in filter(filter_artifacts, all_results["artifacts"]):
+    for artifact in filter_artifacts(
+        all_results["artifacts"],
+        dig(all_results, "artifactRelationships", force_default=[]),
+    ):
         handler = modules_by_artifact_type[artifact["type"]]
         handler.translate_and_save_entry(findings, artifact)
 

diff --git a/anchore_engine/services/apiext/swagger/swagger.yaml b/anchore_engine/services/apiext/swagger/swagger.yaml
@@ -4998,6 +4998,10 @@ definitions:
         "$ref": "#/definitions/ImportDescriptor"
       schema:
         "$ref": "#/definitions/ImportSchema"
+      artifactRelationships:
+        items:
+          "$ref": "#/definitions/ImportPackageRelationship"
+        type: array
     additionalProperties: true
     type: object
   ImportDescriptor:
@@ -5009,7 +5013,7 @@ definitions:
         type: string
       version:
         type: string
-    additionalProperties: false
+    additionalProperties: true
     type: object
   ImportDistribution:
     required:
@@ -5023,7 +5027,7 @@ definitions:
         type: string
       idLike:
         type: string
-    additionalProperties: false
+    additionalProperties: true
     type: object
   ImportPackageLocation:
     required:
@@ -5033,7 +5037,7 @@ definitions:
         type: string
       layerID:
         type: string
-    additionalProperties: false
+    additionalProperties: true
     type: object
   ImportPackage:
     required:
@@ -5046,6 +5050,8 @@ definitions:
       - cpes
       - metadataType
     properties:
+      id:
+        type: string
       name:
         type: string
       version:
@@ -5075,9 +5081,8 @@ definitions:
         type: string
       metadata:
         type: object
-    additionalProperties: false
+    additionalProperties: true
     type: object
-
   ImportSchema:
     required:
       - version
@@ -5087,7 +5092,7 @@ definitions:
         type: string
       url:
         type: string
-    additionalProperties: false
+    additionalProperties: true
     type: object
   ImportSource:
     required:
@@ -5098,5 +5103,22 @@ definitions:
         type: string
       target:
         additionalProperties: true
-    additionalProperties: false
+    additionalProperties: true
     type: object
+  ImportPackageRelationship:
+    required:
+      - parent
+      - child
+      - type
+    properties:
+      parent:
+        type: string
+      child:
+        type: string
+      type:
+        type: string
+      metadata:
+        additionalProperties: true
+        type: object
+    additionalProperties: true
+    type: object
diff --git a/anchore_engine/services/catalog/swagger/swagger.yaml b/anchore_engine/services/catalog/swagger/swagger.yaml
@@ -2299,6 +2299,10 @@ definitions:
         "$ref": "#/definitions/ImportDescriptor"
       schema:
         "$ref": "#/definitions/ImportSchema"
+      artifactRelationships:
+        items:
+          "$ref": "#/definitions/ImportPackageRelationship"
+        type: array
     additionalProperties: true
     type: object
   ImportDescriptor:
@@ -2310,7 +2314,7 @@ definitions:
         type: string
       version:
         type: string
-    additionalProperties: false
+    additionalProperties: true
     type: object
   ImportDistribution:
     required:
@@ -2324,7 +2328,7 @@ definitions:
         type: string
       idLike:
         type: string
-    additionalProperties: false
+    additionalProperties: true
     type: object
   ImportPackageLocation:
     required:
@@ -2334,7 +2338,7 @@ definitions:
         type: string
       layerID:
         type: string
-    additionalProperties: false
+    additionalProperties: true
     type: object
   ImportPackage:
     required:
@@ -2347,6 +2351,8 @@ definitions:
       - cpes
       - metadataType
     properties:
+      id:
+        type: string
       name:
         type: string
       version:
@@ -2376,9 +2382,8 @@ definitions:
         type: string
       metadata:
         type: object
-    additionalProperties: false
+    additionalProperties: true
     type: object
-
   ImportSchema:
     required:
       - version
@@ -2388,7 +2393,7 @@ definitions:
         type: string
       url:
         type: string
-    additionalProperties: false
+    additionalProperties: true
     type: object
   ImportSource:
     required:
@@ -2399,6 +2404,22 @@ definitions:
         type: string
       target:
         additionalProperties: true
-    additionalProperties: false
+    additionalProperties: true
     type: object
-
+  ImportPackageRelationship:
+    required:
+      - parent
+      - child
+      - type
+    properties:
+      parent:
+        type: string
+      child:
+        type: string
+      type:
+        type: string
+      metadata:
+        additionalProperties: true
+        type: object
+    additionalProperties: true
+    type: object
diff --git a/tests/functional/clients/conftest.py b/tests/functional/clients/conftest.py
@@ -88,6 +88,15 @@
         "image_source": "registry",
         "schema_version": "v2",
     },
+    # skopeo inspect --override-os linux  docker://anchore/test_images@sha256:bfbc9520743a4601da82c24958e194d55e45b8cab7c5b466f6ac81c90308749f --raw
+    "ownership-overlap": {
+        "registry": "docker.io",
+        "repo": "anchore/test_images",
+        "tag": "ownership-overlap",
+        "digest": "sha256:bfbc9520743a4601da82c24958e194d55e45b8cab7c5b466f6ac81c90308749f",
+        "image_source": "registry",
+        "schema_version": "v2",
+    },
 }
 
 

diff --git a/.../test_images@sha256:bfbc9520743a4601da82c24958e194d55e45b8cab7c5b466f6ac81c90308749f.json b/.../test_images@sha256:bfbc9520743a4601da82c24958e194d55e45b8cab7c5b466f6ac81c90308749f.json
@@ -0,0 +1,31 @@
+{
+    "schemaVersion": 2,
+    "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
+    "config": {
+       "mediaType": "application/vnd.docker.container.image.v1+json",
+       "size": 3720,
+       "digest": "sha256:41d9e5a1f0dbde2595a37da2433ec7edb01eb0929e95a8db91ca1114fccc146b"
+    },
+    "layers": [
+       {
+          "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
+          "size": 28565893,
+          "digest": "sha256:83ee3a23efb7c75849515a6d46551c608b255d8402a4d3753752b88e0dc188fa"
+       },
+       {
+          "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
+          "size": 843,
+          "digest": "sha256:db98fc6f11f08950985a203e07755c3262c680d00084f601e7304b768c83b3b1"
+       },
+       {
+          "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
+          "size": 162,
+          "digest": "sha256:f611acd52c6cad803b06b5ba932e4aabd0f2d0d5a4d050c81de2832fcb781274"
+       },
+       {
+          "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
+          "size": 12226706,
+          "digest": "sha256:275db3cc73f8c4330b8ce23aea19e5979e18212f3430058178e44d011ce9ff64"
+       }
+    ]
+ }