fix ELF package correlations (#3151)

2025-11-17 08:23:15 +01:00 · 2024-08-26 08:44:39 -04:00 · 2024-08-26 08:44:39 -04:00 · b6b5c8e308
commit b6b5c8e308
parent dad253785e
2 changed files with 28 additions and 7 deletions
--- a/internal/relationship/binary/binary_dependencies.go
+++ b/internal/relationship/binary/binary_dependencies.go
@ -36,8 +36,7 @@ func generateRelationships(resolver file.Resolver, accessor sbomsync.Accessor, i
 				newRelationships.Add(r)
 			}
 		}
-
-		for _, parentPkg := range s.Artifacts.Packages.Sorted(pkg.BinaryPkg) {
+		for _, parentPkg := range allElfPackages(s) {
 			for _, evidentLocation := range parentPkg.Locations.ToSlice() {
 				if evidentLocation.Annotations[pkg.EvidenceAnnotationKey] != pkg.PrimaryEvidenceAnnotation {
 					continue
@ -101,7 +100,7 @@ func onlyPrimaryEvidenceLocations(p pkg.Package) []file.Location {

 func allElfPackages(s *sbom.SBOM) []pkg.Package {
 	var elfPkgs []pkg.Package
-	for _, p := range s.Artifacts.Packages.Sorted(pkg.BinaryPkg) {
+	for _, p := range s.Artifacts.Packages.Sorted() {
 		if !isElfPackage(p) {
 			continue
 		}
--- a/internal/relationship/binary/binary_dependencies_test.go
+++ b/internal/relationship/binary/binary_dependencies_test.go
@ -50,6 +50,22 @@ func TestPackagesToRemove(t *testing.T) {
 	}
 	glibCBinaryELFPackage.SetID()

+	glibCBinaryELFPackageAsRPM := pkg.Package{
+		Name: "glibc",
+		Locations: file.NewLocationSet(
+			file.NewLocation(glibcCoordinate.RealPath).WithAnnotation(pkg.EvidenceAnnotationKey, pkg.PrimaryEvidenceAnnotation),
+		),
+		Type: pkg.RpmPkg, // note: the elf package claims it is a RPM, not binary
+		Metadata: pkg.ELFBinaryPackageNoteJSONPayload{
+			Type:       "rpm",
+			Vendor:     "syft",
+			System:     "syftsys",
+			SourceRepo: "https://github.com/someone/somewhere.git",
+			Commit:     "5534c38d0ffef9a3f83154f0b7a7fb6ab0ab6dbb",
+		},
+	}
+	glibCBinaryELFPackageAsRPM.SetID()
+
 	glibCBinaryClassifierPackage := pkg.Package{
 		Name: "glibc",
 		Locations: file.NewLocationSet(
@ -83,9 +99,15 @@ func TestPackagesToRemove(t *testing.T) {
 			want:     []artifact.ID{glibCBinaryELFPackage.ID()},
 		},
 		{
-			name:     "remove no packages when there is a single binary package",
+			name:     "keep packages that are overlapping rpm --> binary when the binary self identifies as an RPM",
 			resolver: file.NewMockResolverForPaths(glibcCoordinate.RealPath),
-			accessor: newAccessor([]pkg.Package{glibCBinaryELFPackage}, map[file.Coordinates]file.Executable{}, nil),
+			accessor: newAccessor([]pkg.Package{glibCPackage, glibCBinaryELFPackageAsRPM}, map[file.Coordinates]file.Executable{}, nil),
+			want:     []artifact.ID{},
+		},
+		{
+			name:     "remove no packages when there is a single binary package (or self identifying RPM)",
+			resolver: file.NewMockResolverForPaths(glibcCoordinate.RealPath),
+			accessor: newAccessor([]pkg.Package{glibCBinaryELFPackage, glibCBinaryELFPackageAsRPM}, map[file.Coordinates]file.Executable{}, nil),
 			want:     []artifact.ID{},
 		},
 		{
@ -173,9 +195,9 @@ func TestNewDependencyRelationships(t *testing.T) {
 			file.NewLocation(parallelLibCoordinate.RealPath).WithAnnotation(pkg.EvidenceAnnotationKey, pkg.SupportingEvidenceAnnotation),
 		),
 		Language: "",
-		Type:     pkg.BinaryPkg,
+		Type:     pkg.RpmPkg,
 		Metadata: pkg.ELFBinaryPackageNoteJSONPayload{
-			Type:       "testfixture",
+			Type:       "rpm",
 			Vendor:     "syft",
 			System:     "syftsys",
 			SourceRepo: "https://github.com/someone/somewhere.git",