Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix namespace detection from distro IDs #3770

Open
wants to merge 4 commits into
base: develop
Choose a base branch
from

Conversation

AyanSinhaMahapatra
Copy link
Member

@AyanSinhaMahapatra AyanSinhaMahapatra commented May 8, 2024

Update debian, rpm and alpine package assembly to get
distro identifier and then set this properly to
created package, dependency and package_uid instances.

Fixes #3443

Tasks

  • Reviewed contribution guidelines
  • PR is descriptively titled 📑 and links the original issue above 🔗
  • Tests pass -- look for a green checkbox ✔️ a few minutes after opening your PR
    Run tests locally to check for errors.
  • Commits are in uniquely-named feature branch and has no merge conflicts 📁
  • Updated documentation pages (if applicable)
  • Updated CHANGELOG.rst (if applicable)

In docker image/other rootfs scans with SCIO we are always
scanning for system packages before we scan for application
packages, and we were not being able to use the distro
information as this was being detected in application
package scans happening later. So in this commit we are
also adding os-release file parser to system package handler.

Signed-off-by: Ayan Sinha Mahapatra <ayansmahapatra@gmail.com>
Update debian, rpm and alpine package assembly to get
distro identifier and then set this properly to
created package, dependency and package_uid instances.

Reference: #3443
Signed-off-by: Ayan Sinha Mahapatra <ayansmahapatra@gmail.com>
Reference: #3726
Reference: package-url/purl-spec#171
Reference: package-url/purl-spec#159
Signed-off-by: Ayan Sinha Mahapatra <ayansmahapatra@gmail.com>
Signed-off-by: Ayan Sinha Mahapatra <ayansmahapatra@gmail.com>
Copy link
Member

@pombredanne pombredanne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!
But this still does not match the PURL spec at https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst#apk

pretty_name = distro.pretty_name and distro.pretty_name.lower() or ''

# TODO: It is misleading to use package data fields
# name and namespace to store distro/os infomration,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

infomration -> information

if distro_identifier == 'debian':
namespace = 'debian'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are you sure there is no namespace?

Copy link
Member

@pombredanne pombredanne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we always need a default repo... here alpine for apk
For RPMs, we have and should be able to derive the distro from the vendor or distribution RPM metadata and map that to a proper namespace

@@ -74,5 +74,5 @@
"repository_download_url": null,
"api_data_url": null,
"datasource_id": "alpine_apkbuild",
"purl": "pkg:alpine/bluedevil@5.22.0-r0"
"purl": "pkg:apk/bluedevil@5.22.0-r0"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"purl": "pkg:apk/bluedevil@5.22.0-r0"
"purl": "pkg:apk/alpine/bluedevil@5.22.0-r0"

@pombredanne
Copy link
Member

@AyanSinhaMahapatra gentle ping... I would like to merge this soon enough

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

distro is passed as None for RPM packages
2 participants