-
-
Notifications
You must be signed in to change notification settings - Fork 562
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix namespace detection from distro IDs #3770
base: develop
Are you sure you want to change the base?
Conversation
In docker image/other rootfs scans with SCIO we are always scanning for system packages before we scan for application packages, and we were not being able to use the distro information as this was being detected in application package scans happening later. So in this commit we are also adding os-release file parser to system package handler. Signed-off-by: Ayan Sinha Mahapatra <ayansmahapatra@gmail.com>
Update debian, rpm and alpine package assembly to get distro identifier and then set this properly to created package, dependency and package_uid instances. Reference: #3443 Signed-off-by: Ayan Sinha Mahapatra <ayansmahapatra@gmail.com>
Reference: #3726 Reference: package-url/purl-spec#171 Reference: package-url/purl-spec#159 Signed-off-by: Ayan Sinha Mahapatra <ayansmahapatra@gmail.com>
Signed-off-by: Ayan Sinha Mahapatra <ayansmahapatra@gmail.com>
5e60b05
to
4c9e044
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
But this still does not match the PURL spec at https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst#apk
pretty_name = distro.pretty_name and distro.pretty_name.lower() or '' | ||
|
||
# TODO: It is misleading to use package data fields | ||
# name and namespace to store distro/os infomration, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
infomration -> information
if distro_identifier == 'debian': | ||
namespace = 'debian' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are you sure there is no namespace?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we always need a default repo... here alpine for apk
For RPMs, we have and should be able to derive the distro from the vendor or distribution RPM metadata and map that to a proper namespace
@@ -74,5 +74,5 @@ | |||
"repository_download_url": null, | |||
"api_data_url": null, | |||
"datasource_id": "alpine_apkbuild", | |||
"purl": "pkg:alpine/bluedevil@5.22.0-r0" | |||
"purl": "pkg:apk/bluedevil@5.22.0-r0" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"purl": "pkg:apk/bluedevil@5.22.0-r0" | |
"purl": "pkg:apk/alpine/bluedevil@5.22.0-r0" |
@AyanSinhaMahapatra gentle ping... I would like to merge this soon enough |
Update debian, rpm and alpine package assembly to get
distro identifier and then set this properly to
created package, dependency and package_uid instances.
Fixes #3443
Tasks
Run tests locally to check for errors.