oss/syft
2
0
Fork 0
mirror of https://github.com/anchore/syft.git synced 2026-06-10 06:18:24 +02:00
Code Issues Packages Projects Releases Wiki Activity

swap postgres signature check for rocky linux baseline rpm (#4941)

Browse Source 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
This commit is contained in:
Alex Goodman 2026-05-26 10:11:38 -04:00 committed by GitHub
parent 0fb8762f41
commit e8c6b7151e
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 29 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
syft/pkg/cataloger/redhat/parse_rpm_archive_test.go
View File

@ -118,32 +118,32 @@ func TestParseRpmFiles(t *testing.T) {
skipFiles: true, skipFiles: true,
expected: []pkg.Package{ expected: []pkg.Package{
{ {
Name: "postgresql14-server", Name: "basesystem",
Version: "0:14.10-1PGDG.rhel9", Version: "0:11-13.el9.0.1",
PURL: "pkg:rpm/postgresql14-server@14.10-1PGDG.rhel9?arch=x86_64&epoch=0&upstream=postgresql14-14.10-1PGDG.rhel9.src.rpm", PURL: "pkg:rpm/basesystem@11-13.el9.0.1?arch=noarch&epoch=0&upstream=basesystem-11-13.el9.0.1.src.rpm",
Locations: file.NewLocationSet(file.NewLocation("/postgresql14-server-14.10-1PGDG.rhel9.x86_64.rpm")), Locations: file.NewLocationSet(file.NewLocation("/basesystem-11-13.el9.0.1.noarch.rpm")),
FoundBy: "rpm-archive-cataloger", FoundBy: "rpm-archive-cataloger",
Type: pkg.RpmPkg, Type: pkg.RpmPkg,
Licenses: pkg.NewLicenseSet(pkg.NewLicenseFromLocations("PostgreSQL", file.NewLocation("/postgresql14-server-14.10-1PGDG.rhel9.x86_64.rpm"))), Licenses: pkg.NewLicenseSet(pkg.NewLicenseFromLocations("Public Domain", file.NewLocation("/basesystem-11-13.el9.0.1.noarch.rpm"))),
Language: "", Language: "",
CPEs: nil, CPEs: nil,
Metadata: pkg.RpmArchive{ Metadata: pkg.RpmArchive{
Name: "postgresql14-server", Name: "basesystem",
Version: "14.10", Version: "11",
Epoch: ref(0), Epoch: ref(0),
Arch: "x86_64", Arch: "noarch",
Release: "1PGDG.rhel9", Release: "13.el9.0.1",
SourceRpm: "postgresql14-14.10-1PGDG.rhel9.src.rpm", SourceRpm: "basesystem-11-13.el9.0.1.src.rpm",
Size: 24521699, Size: 0,
Signatures: []pkg.RpmSignature{ Signatures: []pkg.RpmSignature{
{ {
PublicKeyAlgorithm: "RSA", PublicKeyAlgorithm: "RSA",
HashAlgorithm: "SHA256", HashAlgorithm: "SHA256",
Created: "Tue Jan 2 16:45:56 2024", Created: "Thu Feb 29 17:37:22 2024",
IssuerKeyID: "40bca2b408b40d20", IssuerKeyID: "702d426d350d275d",
}, },
}, },
Vendor: "PostgreSQL Global Development Group", Vendor: "Rocky Enterprise Software Foundation",
// note: files are not asserted in this test // note: files are not asserted in this test
}, },
}, },

26
syft/pkg/cataloger/redhat/testdata/image-rpm-archive/Dockerfile vendored
View File

@ -1,26 +1,24 @@
FROM --platform=linux/amd64 rockylinux:9 AS rpm-downloader FROM --platform=linux/amd64 rockylinux:9 AS rpm-downloader
# download a signed RPM (PostgreSQL in this example, known to be signed) # download a signed RPM from the Rocky Linux 9.3 vault. Rocky Linux freezes
# using PostgreSQL official RPM which is signed with their GPG key # minor-version contents in the vault indefinitely, which gives us a stable
# $ rpm -Kv postgresql14-server-14.10-1PGDG.rhel9.x86_64.rpm # upstream that won't rotate the way distro "current" repos do (the previous
# postgresql14-server-14.10-1PGDG.rhel9.x86_64.rpm: # fixture used a PostgreSQL repo and broke when PG removed older 14.x RPMs).
# Header V4 RSA/SHA256 Signature, key ID 08b40d20: NOKEY #
# $ rpm -Kv basesystem-11-13.el9.0.1.noarch.rpm
# basesystem-11-13.el9.0.1.noarch.rpm:
# Header V4 RSA/SHA256 Signature, key ID 350d275d: NOKEY
# Header SHA256 digest: OK # Header SHA256 digest: OK
# Header SHA1 digest: OK # Header SHA1 digest: OK
# Payload SHA256 digest: OK # Payload SHA256 digest: OK
# MD5 digest: OK # MD5 digest: OK
# #
# $ rpm -ivh --nodeps --force postgresql14-server-14.10-1PGDG.rhel9.x86_64.rpm # $ rpm -qp --qf '%{NAME}-%{VERSION}-%{RELEASE} %{RSAHEADER:pgpsig}\n' basesystem-11-13.el9.0.1.noarch.rpm
# warning: postgresql14-server-14.10-1PGDG.rhel9.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID 08b40d20: NOKEY # basesystem-11-13.el9.0.1 RSA/SHA256, Thu Feb 29 17:37:22 2024, Key ID 702d426d350d275d
# Verifying... ################################# [100%]
# Preparing... ################################# [100%]
#
# $ rpm -q --qf '%{NAME}-%{VERSION}-%{RELEASE} %{RSAHEADER:pgpsig}\n' postgresql14-server-14.10-1PGDG.rhel9.x86_64
# postgresql14-server-14.10-1PGDG.rhel9 RSA/SHA256, Tue Jan 2 16:45:56 2024, Key ID 40bca2b408b40d20
RUN curl -O https://download.postgresql.org/pub/repos/yum/14/redhat/rhel-9-x86_64/postgresql14-server-14.10-1PGDG.rhel9.x86_64.rpm RUN curl -O https://dl.rockylinux.org/vault/rocky/9.3/BaseOS/x86_64/os/Packages/b/basesystem-11-13.el9.0.1.noarch.rpm
FROM scratch FROM scratch
COPY --from=rpm-downloader /postgresql14-server-14.10-1PGDG.rhel9.x86_64.rpm /postgresql14-server-14.10-1PGDG.rhel9.x86_64.rpm COPY --from=rpm-downloader /basesystem-11-13.el9.0.1.noarch.rpm /basesystem-11-13.el9.0.1.noarch.rpm