oss/syft
2
0
Fork 0
mirror of https://github.com/anchore/syft.git synced 2025-11-17 16:33:21 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: cyclonedx depends-on relationship inverted (#1816)

Browse Source 
Signed-off-by: Shane Alvarez <shane.alv@gmail.com>
This commit is contained in:
Shane Alvarez 2023-05-15 07:59:26 -06:00 committed by GitHub
parent b4ed599481
commit 8046f09562
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 53 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
syft/formats/common/cyclonedxhelpers/decoder.go
View File

@ -206,7 +206,7 @@ func collectRelationships(bom *cyclonedx.BOM, s *sbom.SBOM, idMap map[string]int
return return
} }
for _, d := range *bom.Dependencies { for _, d := range *bom.Dependencies {
from, fromExists := idMap[d.Ref].(artifact.Identifiable) to, fromExists := idMap[d.Ref].(artifact.Identifiable)
if !fromExists { if !fromExists {
continue continue
} }
@ -216,7 +216,7 @@ func collectRelationships(bom *cyclonedx.BOM, s *sbom.SBOM, idMap map[string]int
} }
for _, t := range *d.Dependencies { for _, t := range *d.Dependencies {
to, toExists := idMap[t].(artifact.Identifiable) from, toExists := idMap[t].(artifact.Identifiable)
if !toExists { if !toExists {
continue continue
} }

59
syft/formats/common/cyclonedxhelpers/decoder_test.go
View File

@ -8,6 +8,9 @@ import (
"github.com/CycloneDX/cyclonedx-go" "github.com/CycloneDX/cyclonedx-go"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
"github.com/anchore/syft/syft/artifact"
"github.com/anchore/syft/syft/sbom"
) )
func Test_decode(t *testing.T) { func Test_decode(t *testing.T) {
@ -184,16 +187,16 @@ func Test_decode(t *testing.T) {
ver: "1.2.3", ver: "1.2.3",
}, },
{ {
pkg: "package-1", pkg: "package-1",
ver: "1.0.1", ver: "1.0.1",
cpe: "cpe:2.3:*:some:package:1:*:*:*:*:*:*:*", cpe: "cpe:2.3:*:some:package:1:*:*:*:*:*:*:*",
purl: "pkg:some/package-1@1.0.1?arch=arm64&upstream=upstream1&distro=alpine-1", purl: "pkg:some/package-1@1.0.1?arch=arm64&upstream=upstream1&distro=alpine-1",
relation: "package-2",
}, },
{ {
pkg: "package-2", pkg: "package-2",
ver: "2.0.2", ver: "2.0.2",
purl: "pkg:apk/alpine/alpine-baselayout@3.2.0-r16?arch=x86_64&upstream=alpine-baselayout&distro=alpine-3.14.2", purl: "pkg:apk/alpine/alpine-baselayout@3.2.0-r16?arch=x86_64&upstream=alpine-baselayout&distro=alpine-3.14.2",
relation: "package-1",
}, },
}, },
}, },
@ -257,6 +260,46 @@ func Test_decode(t *testing.T) {
} }
} }
func Test_relationshipDirection(t *testing.T) {
cyclonedx_bom := cyclonedx.BOM{Metadata: nil,
Components: &[]cyclonedx.Component{
{
BOMRef: "p1",
Type: cyclonedx.ComponentTypeLibrary,
Name: "package-1",
Version: "1.0.1",
PackageURL: "pkg:some/package-1@1.0.1?arch=arm64&upstream=upstream1&distro=alpine-1",
},
{
BOMRef: "p2",
Type: cyclonedx.ComponentTypeLibrary,
Name: "package-2",
Version: "2.0.2",
PackageURL: "pkg:some/package-2@2.0.2?arch=arm64&upstream=upstream1&distro=alpine-1",
},
},
Dependencies: &[]cyclonedx.Dependency{
{
Ref: "p1",
Dependencies: &[]string{"p2"},
},
}}
sbom, err := ToSyftModel(&cyclonedx_bom)
assert.Nil(t, err)
assert.Len(t, sbom.Relationships, 1)
relationship := sbom.Relationships[0]
// check that p2 -- dependency of --> p1
// same as p1 -- depends on --> p2
assert.Equal(t, artifact.DependencyOfRelationship, relationship.Type)
assert.Equal(t, "package-2", packageNameFromIdentifier(sbom, relationship.From))
assert.Equal(t, "package-1", packageNameFromIdentifier(sbom, relationship.To))
}
func packageNameFromIdentifier(model *sbom.SBOM, identifier artifact.Identifiable) string {
return model.Artifacts.Packages.Package(identifier.ID()).Name
}
func Test_missingDataDecode(t *testing.T) { func Test_missingDataDecode(t *testing.T) {
bom := &cyclonedx.BOM{ bom := &cyclonedx.BOM{
Metadata: nil, Metadata: nil,