Skip to content

Commit d0c81e2

Browse files
knqyf263knqyf263
authored
feat(vex): add PURL matching for CSAF VEX (aquasecurity#5890)
Signed-off-by: knqyf263 <[email protected]>
1 parent 958e1f1 commit d0c81e2

29 files changed

+1236
-1390
lines changed

integration/testdata/conda-spdx.json.golden

+6-6
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@
2222
},
2323
{
2424
"name": "openssl",
25-
"SPDXID": "SPDXRef-Package-38e5db7a21fc70a8",
25+
"SPDXID": "SPDXRef-Package-20b95c21bfbf9fc4",
2626
"versionInfo": "1.1.1q",
2727
"supplier": "NOASSERTION",
2828
"downloadLocation": "NONE",
@@ -43,7 +43,7 @@
4343
},
4444
{
4545
"name": "pip",
46-
"SPDXID": "SPDXRef-Package-f9844c873ead5dbe",
46+
"SPDXID": "SPDXRef-Package-11a429ec3bd01d80",
4747
"versionInfo": "22.2.2",
4848
"supplier": "NOASSERTION",
4949
"downloadLocation": "NONE",
@@ -110,21 +110,21 @@
110110
},
111111
{
112112
"spdxElementId": "SPDXRef-Application-ee5ef1aa4ac89125",
113-
"relatedSpdxElement": "SPDXRef-Package-38e5db7a21fc70a8",
113+
"relatedSpdxElement": "SPDXRef-Package-20b95c21bfbf9fc4",
114114
"relationshipType": "CONTAINS"
115115
},
116116
{
117-
"spdxElementId": "SPDXRef-Package-38e5db7a21fc70a8",
117+
"spdxElementId": "SPDXRef-Package-20b95c21bfbf9fc4",
118118
"relatedSpdxElement": "SPDXRef-File-600e5e0110a84891",
119119
"relationshipType": "CONTAINS"
120120
},
121121
{
122122
"spdxElementId": "SPDXRef-Application-ee5ef1aa4ac89125",
123-
"relatedSpdxElement": "SPDXRef-Package-f9844c873ead5dbe",
123+
"relatedSpdxElement": "SPDXRef-Package-11a429ec3bd01d80",
124124
"relationshipType": "CONTAINS"
125125
},
126126
{
127-
"spdxElementId": "SPDXRef-Package-f9844c873ead5dbe",
127+
"spdxElementId": "SPDXRef-Package-11a429ec3bd01d80",
128128
"relatedSpdxElement": "SPDXRef-File-7eb62e2a3edddc0a",
129129
"relationshipType": "CONTAINS"
130130
}

pkg/fanal/analyzer/sbom/sbom.go

-3
Original file line numberDiff line numberDiff line change
@@ -88,9 +88,6 @@ func handleBitnamiImages(componentPath string, bom types.SBOM) {
8888
// If the file path is empty, the file path will be set to the component dir path.
8989
filePath := path.Join(componentPath, pkg.FilePath)
9090
bom.Applications[i].Libraries[j].FilePath = filePath
91-
if pkg.Identifier.PURL != nil && pkg.Identifier.PURL.FilePath != "" {
92-
bom.Applications[i].Libraries[j].Identifier.PURL.FilePath = filePath
93-
}
9491
}
9592
}
9693
}

pkg/fanal/analyzer/sbom/sbom_test.go

+54-78
Original file line numberDiff line numberDiff line change
@@ -35,13 +35,11 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
3535
Version: "1.36.0",
3636
FilePath: "opt/bitnami/elasticsearch",
3737
Identifier: types.PkgIdentifier{
38-
PURL: &types.PackageURL{
39-
PackageURL: packageurl.PackageURL{
40-
Type: packageurl.TypeMaven,
41-
Namespace: "co.elastic.apm",
42-
Name: "apm-agent",
43-
Version: "1.36.0",
44-
},
38+
PURL: &packageurl.PackageURL{
39+
Type: packageurl.TypeMaven,
40+
Namespace: "co.elastic.apm",
41+
Name: "apm-agent",
42+
Version: "1.36.0",
4543
},
4644
},
4745
},
@@ -50,13 +48,11 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
5048
Version: "1.36.0",
5149
FilePath: "opt/bitnami/elasticsearch",
5250
Identifier: types.PkgIdentifier{
53-
PURL: &types.PackageURL{
54-
PackageURL: packageurl.PackageURL{
55-
Type: packageurl.TypeMaven,
56-
Namespace: "co.elastic.apm",
57-
Name: "apm-agent-cached-lookup-key",
58-
Version: "1.36.0",
59-
},
51+
PURL: &packageurl.PackageURL{
52+
Type: packageurl.TypeMaven,
53+
Namespace: "co.elastic.apm",
54+
Name: "apm-agent-cached-lookup-key",
55+
Version: "1.36.0",
6056
},
6157
},
6258
},
@@ -65,13 +61,11 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
6561
Version: "1.36.0",
6662
FilePath: "opt/bitnami/elasticsearch",
6763
Identifier: types.PkgIdentifier{
68-
PURL: &types.PackageURL{
69-
PackageURL: packageurl.PackageURL{
70-
Type: packageurl.TypeMaven,
71-
Namespace: "co.elastic.apm",
72-
Name: "apm-agent-common",
73-
Version: "1.36.0",
74-
},
64+
PURL: &packageurl.PackageURL{
65+
Type: packageurl.TypeMaven,
66+
Namespace: "co.elastic.apm",
67+
Name: "apm-agent-common",
68+
Version: "1.36.0",
7569
},
7670
},
7771
},
@@ -80,13 +74,11 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
8074
Version: "1.36.0",
8175
FilePath: "opt/bitnami/elasticsearch",
8276
Identifier: types.PkgIdentifier{
83-
PURL: &types.PackageURL{
84-
PackageURL: packageurl.PackageURL{
85-
Type: packageurl.TypeMaven,
86-
Namespace: "co.elastic.apm",
87-
Name: "apm-agent-core",
88-
Version: "1.36.0",
89-
},
77+
PURL: &packageurl.PackageURL{
78+
Type: packageurl.TypeMaven,
79+
Namespace: "co.elastic.apm",
80+
Name: "apm-agent-core",
81+
Version: "1.36.0",
9082
},
9183
},
9284
},
@@ -102,16 +94,14 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
10294
Arch: "arm64",
10395
Licenses: []string{"Elastic-2.0"},
10496
Identifier: types.PkgIdentifier{
105-
PURL: &types.PackageURL{
106-
PackageURL: packageurl.PackageURL{
107-
Type: packageurl.TypeBitnami,
108-
Name: "elasticsearch",
109-
Version: "8.9.1",
110-
Qualifiers: packageurl.Qualifiers{
111-
{
112-
Key: "arch",
113-
Value: "arm64",
114-
},
97+
PURL: &packageurl.PackageURL{
98+
Type: packageurl.TypeBitnami,
99+
Name: "elasticsearch",
100+
Version: "8.9.1",
101+
Qualifiers: packageurl.Qualifiers{
102+
{
103+
Key: "arch",
104+
Value: "arm64",
115105
},
116106
},
117107
},
@@ -137,14 +127,11 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
137127
Name: "co.elastic.apm:apm-agent",
138128
Version: "1.36.0",
139129
Identifier: types.PkgIdentifier{
140-
PURL: &types.PackageURL{
141-
PackageURL: packageurl.PackageURL{
142-
Type: packageurl.TypeMaven,
143-
Namespace: "co.elastic.apm",
144-
Name: "apm-agent",
145-
Version: "1.36.0",
146-
},
147-
FilePath: "opt/bitnami/elasticsearch/modules/apm/elastic-apm-agent-1.36.0.jar",
130+
PURL: &packageurl.PackageURL{
131+
Type: packageurl.TypeMaven,
132+
Namespace: "co.elastic.apm",
133+
Name: "apm-agent",
134+
Version: "1.36.0",
148135
},
149136
BOMRef: "pkg:maven/co.elastic.apm/[email protected]",
150137
},
@@ -154,14 +141,11 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
154141
Name: "co.elastic.apm:apm-agent-cached-lookup-key",
155142
Version: "1.36.0",
156143
Identifier: types.PkgIdentifier{
157-
PURL: &types.PackageURL{
158-
PackageURL: packageurl.PackageURL{
159-
Type: packageurl.TypeMaven,
160-
Namespace: "co.elastic.apm",
161-
Name: "apm-agent-cached-lookup-key",
162-
Version: "1.36.0",
163-
},
164-
FilePath: "opt/bitnami/elasticsearch/modules/apm/elastic-apm-agent-1.36.0.jar",
144+
PURL: &packageurl.PackageURL{
145+
Type: packageurl.TypeMaven,
146+
Namespace: "co.elastic.apm",
147+
Name: "apm-agent-cached-lookup-key",
148+
Version: "1.36.0",
165149
},
166150
BOMRef: "pkg:maven/co.elastic.apm/[email protected]",
167151
},
@@ -187,12 +171,10 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
187171
Version: "3.7.1",
188172
Licenses: []string{"MIT"},
189173
Identifier: types.PkgIdentifier{
190-
PURL: &types.PackageURL{
191-
PackageURL: packageurl.PackageURL{
192-
Type: packageurl.TypeBitnami,
193-
Name: "gdal",
194-
Version: "3.7.1",
195-
},
174+
PURL: &packageurl.PackageURL{
175+
Type: packageurl.TypeBitnami,
176+
Name: "gdal",
177+
Version: "3.7.1",
196178
},
197179
},
198180
},
@@ -201,12 +183,10 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
201183
Version: "3.8.3",
202184
Licenses: []string{"LGPL-2.1-only"},
203185
Identifier: types.PkgIdentifier{
204-
PURL: &types.PackageURL{
205-
PackageURL: packageurl.PackageURL{
206-
Type: packageurl.TypeBitnami,
207-
Name: "geos",
208-
Version: "3.8.3",
209-
},
186+
PURL: &packageurl.PackageURL{
187+
Type: packageurl.TypeBitnami,
188+
Name: "geos",
189+
Version: "3.8.3",
210190
},
211191
},
212192
},
@@ -215,12 +195,10 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
215195
Version: "15.3.0",
216196
Licenses: []string{"PostgreSQL"},
217197
Identifier: types.PkgIdentifier{
218-
PURL: &types.PackageURL{
219-
PackageURL: packageurl.PackageURL{
220-
Type: packageurl.TypeBitnami,
221-
Name: "postgresql",
222-
Version: "15.3.0",
223-
},
198+
PURL: &packageurl.PackageURL{
199+
Type: packageurl.TypeBitnami,
200+
Name: "postgresql",
201+
Version: "15.3.0",
224202
},
225203
},
226204
},
@@ -229,12 +207,10 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
229207
Version: "6.3.2",
230208
Licenses: []string{"MIT"},
231209
Identifier: types.PkgIdentifier{
232-
PURL: &types.PackageURL{
233-
PackageURL: packageurl.PackageURL{
234-
Type: packageurl.TypeBitnami,
235-
Name: "proj",
236-
Version: "6.3.2",
237-
},
210+
PURL: &packageurl.PackageURL{
211+
Type: packageurl.TypeBitnami,
212+
Name: "proj",
213+
Version: "6.3.2",
238214
},
239215
},
240216
},

0 commit comments

Comments
 (0)