From dd2ee2bbf7a60182e347965a79dad004f77b00a9 Mon Sep 17 00:00:00 2001 From: William Murphy Date: Fri, 21 Feb 2025 09:22:37 -0500 Subject: [PATCH] fix: find bitnami files even when no relationships (#3676) The bitnami cataloger assigns files under /opt/bitnami/PACKAGE to be owned by PACKAGE unless they are otherwise owned. Previously, this main package was identified only by relationships, leading to an edge case where if there was a bitnami SBOM with a single package in it, there were no relationships, and so there would be no main package to assign the files to, leading to deduplication failures. Instead, when encountering a bitnami SBOM with exactly one package in it, assume that package is the main package of that SBOM. Signed-off-by: Will Murphy --- syft/pkg/cataloger/bitnami/cataloger.go | 4 ++ syft/pkg/cataloger/bitnami/cataloger_test.go | 31 +++++++++++++++ .../no-rel/opt/bitnami/redis/.spdx-redis.spdx | 38 +++++++++++++++++++ .../no-rel/opt/bitnami/redis/bin/redis-server | 1 + 4 files changed, 74 insertions(+) create mode 100644 syft/pkg/cataloger/bitnami/test-fixtures/no-rel/opt/bitnami/redis/.spdx-redis.spdx create mode 100644 syft/pkg/cataloger/bitnami/test-fixtures/no-rel/opt/bitnami/redis/bin/redis-server diff --git a/syft/pkg/cataloger/bitnami/cataloger.go b/syft/pkg/cataloger/bitnami/cataloger.go index 510d526d8..6cdf1a12d 100644 --- a/syft/pkg/cataloger/bitnami/cataloger.go +++ b/syft/pkg/cataloger/bitnami/cataloger.go @@ -80,6 +80,10 @@ func parseSBOM(_ context.Context, resolver file.Resolver, _ *generic.Environment pkgs = append(pkgs, p) } + // If there is exactly one package, assume it is the main package + if len(pkgs) == 1 && mainPkgID == "" { + mainPkgID = pkgs[0].ID() + } // Resolve all files owned by the main package in the SBOM and update the metadata if mainPkgFiles, err := mainPkgFiles(resolver, reader.Location.RealPath, secondaryPkgsFiles); err == nil { diff --git a/syft/pkg/cataloger/bitnami/cataloger_test.go b/syft/pkg/cataloger/bitnami/cataloger_test.go index 948b266cd..38c1eb823 100644 --- a/syft/pkg/cataloger/bitnami/cataloger_test.go +++ b/syft/pkg/cataloger/bitnami/cataloger_test.go @@ -421,6 +421,31 @@ func TestBitnamiCataloger(t *testing.T) { }, } + redisMainPkg := pkg.Package{ + Name: "redis", + Version: "7.4.0-0", + Type: pkg.BitnamiPkg, + Locations: file.NewLocationSet(file.NewLocation("opt/bitnami/redis/.spdx-redis.spdx")), + Licenses: pkg.NewLicenseSet( + pkg.NewLicenseFromType("RSALv2", license.Concluded), + pkg.NewLicenseFromType("RSALv2", license.Declared), + ), + FoundBy: catalogerName, + PURL: "pkg:bitnami/redis@7.4.0-0?arch=arm64&distro=debian-12", + CPEs: mustCPEs( + "cpe:2.3:*:redis:redis:7.4.0:*:*:*:*:*:*:*", + ), + Metadata: &pkg.BitnamiSBOMEntry{ + Name: "redis", + Version: "7.4.0", + Revision: "0", + Architecture: "arm64", + Distro: "debian-12", + Path: "opt/bitnami/redis", + Files: []string{"opt/bitnami/redis/bin/redis-server"}, + }, + } + tests := []struct { name string fixture string @@ -456,6 +481,12 @@ func TestBitnamiCataloger(t *testing.T) { wantRelationships: nil, wantErr: require.Error, }, + { + name: "SBOM with no relationships", + fixture: "test-fixtures/no-rel", + wantPkgs: []pkg.Package{redisMainPkg}, + wantRelationships: nil, + }, } for _, tt := range tests { diff --git a/syft/pkg/cataloger/bitnami/test-fixtures/no-rel/opt/bitnami/redis/.spdx-redis.spdx b/syft/pkg/cataloger/bitnami/test-fixtures/no-rel/opt/bitnami/redis/.spdx-redis.spdx new file mode 100644 index 000000000..9b9510103 --- /dev/null +++ b/syft/pkg/cataloger/bitnami/test-fixtures/no-rel/opt/bitnami/redis/.spdx-redis.spdx @@ -0,0 +1,38 @@ +{ + "SPDXID": "SPDXRef-redis", + "spdxVersion": "SPDX-2.3", + "creationInfo": { + "created": "2024-08-08T11:12:35.680Z", + "creators": ["Organization: VMware, Inc."] + }, + "name": "SPDX document for Redis(R) 7.4.0", + "dataLicense": "CC0-1.0", + "documentDescribes": ["SPDXRef-redis"], + "documentNamespace": "redis-7.4.0", + "packages": [ + { + "SPDXID": "SPDXRef-redis", + "name": "redis", + "versionInfo": "7.4.0-0", + "downloadLocation": "http://download.redis.io/releases/redis-7.4.0.tar.gz", + "licenseConcluded": "RSALv2", + "licenseDeclared": "RSALv2", + "filesAnalyzed": false, + "externalRefs": [ + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:*:redis:redis:7.4.0:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:bitnami/redis@7.4.0-0?arch=arm64&distro=debian-12" + } + ], + "copyrightText": "NOASSERTION" + } + ], + "files": [], + "relationships": [] +} diff --git a/syft/pkg/cataloger/bitnami/test-fixtures/no-rel/opt/bitnami/redis/bin/redis-server b/syft/pkg/cataloger/bitnami/test-fixtures/no-rel/opt/bitnami/redis/bin/redis-server new file mode 100644 index 000000000..1dbc31944 --- /dev/null +++ b/syft/pkg/cataloger/bitnami/test-fixtures/no-rel/opt/bitnami/redis/bin/redis-server @@ -0,0 +1 @@ +test fixture pretending to be redis-server