Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(sbom): detect OS from purl if OS component not found #7101

Open
wants to merge 9 commits into
base: main
Choose a base branch
from

Conversation

DmitriyLewen
Copy link
Contributor

Description

There are cases when SBOM file doesn't contain OS component.
To avoid missing OS packages -we can try to get OS from purl.
More details - #7073 (reply in thread)

Related issues

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@DmitriyLewen DmitriyLewen self-assigned this Jul 5, 2024
@DmitriyLewen DmitriyLewen marked this pull request as ready for review July 5, 2024 08:08
@DmitriyLewen DmitriyLewen requested a review from knqyf263 as a code owner July 5, 2024 08:08
}
return s
})
return xerrors.Errorf("multiple OSes in SBOM are not supported (%q)", oses)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought about it.
We can leave this error.

But if we get problems about this - we will update the logic to get the OS (from purl) with the maximum number of packages.

@eshafaq1
Copy link

@DmitriyLewen thank you for creating this PR, I too am seeing a lot of warnings when scanning wolfi images.

Question unrelated to PR: For these warning you mention in discussions/7073, is Trivy unable to scan the packages in the image therefore being unable to report accurate vulnerability info for Wolfi images?

@DmitriyLewen
Copy link
Contributor Author

Hello @eshafaq1

is Trivy unable to scan the packages in the image therefore being unable to report accurate vulnerability info for Wolfi images?

Trivy detects the following packages from wolfi images:

  1. apk packages obtained from lib/apk/db/installed file (default way to detect apk packages)
  2. packages from SBOM files (this PR for these packages).

IIUC packages from p1 and p2 is same (duplicates).
So you shouldn't have problem, because Trivy correctly detectы vulnerabilities for packages from p1.

@eshafaq1
Copy link

eshafaq1 commented Aug 8, 2024

Hopefully @knqyf263 can get some time to review :)

Copy link

github-actions bot commented Oct 8, 2024

This PR is stale because it has been labeled with inactivity.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. label Oct 8, 2024
@afdesk afdesk removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. label Oct 8, 2024
Copy link

github-actions bot commented Dec 8, 2024

This PR is stale because it has been labeled with inactivity.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. label Dec 8, 2024
@tuananh
Copy link

tuananh commented Dec 26, 2024

is there anything we can do to move this forward?

@DmitriyLewen
Copy link
Contributor Author

Hello @tuananh

Unfortunately, we are currently busy with more priority tasks.

Please be patient.
As soon as we have time, we will return to this PR

Regarrds, Dmitriy

@github-actions github-actions bot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. label Dec 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

fix(sbom): detect OS from purl if OS component not found
4 participants