Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Move package PURL and CPEs to Package definition #271

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 19, 2020
Merged

Move package PURL and CPEs to Package definition #271

merged 1 commit into from
Nov 19, 2020

Conversation

@wagoodman
Copy link
Contributor

@wagoodman wagoodman commented Nov 19, 2020
edited
Loading

Today we use CPEs in grype during the matching process, however, this is really a SBOM field being ephemerally created and thrown away --this could be useful in other aspects SBOM-wise.

This PR does the following:

  • Adds CPEs and PURL to the pkg.Package struct.
  • Does post-processing of packages after the catalogers but before being added to the catalog.
  • The above point makes the syft.Catalog step dependent on distro, so distro identification has been moved under this call (and removed as an independent action from lib.go)
  • When distro.Identify() cannot identify a distro it now returns nil, being consistent with other properties that have the same behavior.
  • Unrelated: oraclelinux distro testing was missed previously, so was added here

Notes:

  • this PR opens up future work to include CPEs into presenters (Add the Common Platform Enumeration (CPE) for the CycloneDX output #268), but in this PR has only been exposed in the JSON presenter.
  • this PR decided to do a "minimal" approach and allow a central spot (within syft.cataloger) to be responsible for accumulating purls and CPEs and attaching them to a package object, however, there is probably a better way to do this in the future. One outcome of this was to start considering individual catalogers to be only responsible for discovering and raising up "raw" information from the entity being cataloged, and interpretations of this data is considered "out of scope" for the catalogers and should be attached to the package downstream of the individual catalogers.

Closes #269

@wagoodman wagoodman requested a review from a team November 19, 2020 16:25
@wagoodman wagoodman self-assigned this Nov 19, 2020
luhring
luhring approved these changes Nov 19, 2020
View reviewed changes
Copy link
Contributor

@luhring luhring left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks great! The only thing I'm not clear on is all the places that Distro was changed to use a pointer... IIRC, this was just recently changed from a pointer type to a non-pointer type. Not a blocking issue for this PR.

@wagoodman
Copy link
Contributor Author

fair question. In #266 the change from pointer to non-pointer of downstream usages of distro.Distro was to eliminate the need for the pointer since the caller should be checking the distro.Type explicitly (and there should never be an empty distro). This PR changes the semantics such that distro.Identify() can indicate it could not identify the distro via a nil pointer (changing the underlying semantics to exists-or-not-exists, and changing downstream references to need the pointer type, where earlier these downstream pointers were not needed).

@wagoodman wagoodman merged commit 0ed3013 into main Nov 19, 2020
@wagoodman wagoodman deleted the cpe-generation branch November 19, 2020 17:38
This was referenced Nov 19, 2020
Merged
Closed
@ekmixon ekmixon mentioned this pull request Feb 11, 2024
Open
@stnert stnert mentioned this pull request Feb 11, 2024
Open
GijsCalis pushed a commit to GijsCalis/syft that referenced this pull request Feb 19, 2024
@wagoodman
Merge pull request anchore#271 from anchore/cpe-generation
4b055b9 
Move package PURL and CPEs to Package definition
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@luhring luhring luhring approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@wagoodman wagoodman

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Migrate CPE generation to syft (and generally output package identities)

3 participants

@wagoodman @luhring