gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-12 15:50:15 -08:00
Code Issues Packages Projects Releases Wiki Activity

fix(sbom): preserve OS packages from multiple SBOMs [backport: release/v0.59] (#8333)

Browse Source 
Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>
Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
This commit is contained in:
Aqua Security automated builds
2025-02-02 22:55:46 -07:00
committed by GitHub
parent a58d6854dc
commit 3fd8e2785b
3 changed files with 97 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
pkg/fanal/analyzer/sbom/sbom.go
View File

@@ -52,6 +52,12 @@ func (a sbomAnalyzer) Analyze(ctx context.Context, input analyzer.AnalysisInput)
handleBitnamiImages(path.Dir(input.FilePath), bom)
}
// Add the filePath to avoid overwriting OS packages when merging packages from multiple SBOM files.
// cf. https://github.com/aquasecurity/trivy/issues/8324
for i, pkgInfo := range bom.Packages {
bom.Packages[i].FilePath = path.Join(input.FilePath, pkgInfo.FilePath)
}
// FilePath for apps with aggregatingTypes is empty.
// Set the SBOM file path as Application.FilePath to correctly overwrite applications when merging layers.
for i, app := range bom.Applications {

36
pkg/fanal/analyzer/sbom/sbom_test.go
View File

@@ -238,6 +238,42 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
},
wantErr: require.NoError,
},
{
name: "valid ca-certificates spdx file",
file: "testdata/ca-certificates.spdx.json",
filePath: "opt/bitnami/ca-certificates/.spdx-ca-certificates.spdx",
want: &analyzer.AnalysisResult{
PackageInfos: []types.PackageInfo{
{
FilePath: "opt/bitnami/ca-certificates/.spdx-ca-certificates.spdx",
Packages: types.Packages{
{
ID: "ca-certificates@20230311",
Name: "ca-certificates",
Version: "20230311",
Arch: "all",
SrcName: "ca-certificates",
SrcVersion: "20230311",
Licenses: []string{"GPL-2.0-or-later AND GPL-2.0-only AND MPL-2.0"},
Identifier: types.PkgIdentifier{
PURL: &packageurl.PackageURL{
Type: packageurl.TypeDebian,
Namespace: "debian",
Name: "ca-certificates",
Version: "20230311",
Qualifiers: packageurl.Qualifiers{
{Key: "arch", Value: "all"},
{Key: "distro", Value: "debian-12.9"},
},
},
},
},
},
},
},
},
wantErr: require.NoError,
},
{
name: "invalid spdx file",
file: "testdata/invalid_spdx.json",

55
pkg/fanal/analyzer/sbom/testdata/ca-certificates.spdx.json vendored Normal file
View File

@@ -0,0 +1,55 @@
{
"spdxVersion": "SPDX-2.3",
"dataLicense": "CC0-1.0",
"SPDXID": "SPDXRef-DOCUMENT",
"name": "host",
"documentNamespace": "http://aquasecurity.github.io/trivy/filesystem/host-1022538e-83fe-4aa7-8718-a78839114c83",
"creationInfo": {
"creators": [
"Organization: aquasecurity",
"Tool: trivy-0.58.1"
],
"created": "2025-01-30T11:30:05Z"
},
"packages": [
{
"name": "ca-certificates",
"SPDXID": "SPDXRef-Package-c1d4029824045f75",
"versionInfo": "20230311",
"supplier": "Organization: Julien Cristau <jcristau@debian.org>",
"downloadLocation": "NONE",
"filesAnalyzed": false,
"sourceInfo": "built package from: ca-certificates 20230311",
"licenseConcluded": "GPL-2.0-or-later AND GPL-2.0-only AND MPL-2.0",
"licenseDeclared": "GPL-2.0-or-later AND GPL-2.0-only AND MPL-2.0",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:deb/debian/ca-certificates@20230311?arch=all&distro=debian-12.9"
}
],
"primaryPackagePurpose": "LIBRARY"
},
{
"name": "debian",
"SPDXID": "SPDXRef-OperatingSystem-23c1e7dfb45d904f",
"versionInfo": "12.9",
"downloadLocation": "NONE",
"filesAnalyzed": false,
"primaryPackagePurpose": "OPERATING-SYSTEM"
}
],
"relationships": [
{
"spdxElementId": "SPDXRef-OperatingSystem-23c1e7dfb45d904f",
"relatedSpdxElement": "SPDXRef-Package-c1d4029824045f75",
"relationshipType": "CONTAINS"
},
{
"spdxElementId": "SPDXRef-DOCUMENT",
"relatedSpdxElement": "SPDXRef-OperatingSystem-23c1e7dfb45d904f",
"relationshipType": "DESCRIBES"
}
]
}