fix: retain sbom cataloger relationships (#1509)

Signed-off-by: Eitan Goldenstein <eitan@scribesecurity.com> Co-authored-by: Eitan Goldenstein <eitan@scribesecurity.com>
anchore · May 15, 2023 · b4ed599 · b4ed599
1 parent e925d9d
commit b4ed599
Show file tree

Hide file tree

Showing 4 changed files with 129 additions and 528 deletions.
diff --git a/syft/pkg/cataloger/internal/pkgtest/test_generic_parser.go b/syft/pkg/cataloger/internal/pkgtest/test_generic_parser.go
@@ -247,7 +247,6 @@ func (p *CatalogTester) assertPkgs(t *testing.T, pkgs []pkg.Package, relationshi
 			t.Errorf("unexpected packages from parsing (-expected +actual)\n%s", diff)
 		}
 	}
-
 	{
 		var r diffReporter
 		var opts []cmp.Option

diff --git a/syft/pkg/cataloger/sbom/cataloger.go b/syft/pkg/cataloger/sbom/cataloger.go
@@ -41,7 +41,7 @@ func parseSBOM(_ source.FileResolver, _ *generic.Environment, reader source.Loca
 	}
 
 	var pkgs []pkg.Package
-	var relationships []artifact.Relationship
+	relationships := s.Relationships
 	for _, p := range s.Artifacts.Packages.Sorted() {
 		// replace all locations on the package with the location of the SBOM file.
 		// Why not keep the original list of locations? Since the "locations" field is meant to capture

diff --git a/syft/pkg/cataloger/sbom/cataloger_test.go b/syft/pkg/cataloger/sbom/cataloger_test.go
@@ -252,7 +252,131 @@ func Test_parseSBOM(t *testing.T) {
 		},
 	}
 
-	var expectedRelationships []artifact.Relationship
+	apkgdbLocation := source.NewLocationSet(source.Location{
+		LocationData: source.LocationData{
+			Coordinates: source.Coordinates{
+				RealPath:     "/lib/apk/db/installed",
+				FileSystemID: "sha256:e5e13b0c77cbb769548077189c3da2f0a764ceca06af49d8d558e759f5c232bd",
+			},
+		},
+	})
+
+	libSSL := pkg.Package{
+		Name:      "libssl1.1",
+		Version:   "1.1.1s-r0",
+		Type:      "apk",
+		Locations: apkgdbLocation,
+		Licenses:  []string{"OpenSSL"},
+		FoundBy:   "apkdb-cataloger",
+		PURL:      "pkg:apk/alpine/libssl1.1@1.1.1s-r0?arch=x86_64&upstream=openssl&distro=alpine-3.16.3",
+		CPEs: mustCPEs(
+			"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1s-r0:*:*:*:*:*:*:*",
+		),
+	}
+
+	sslClient := pkg.Package{
+		Name:      "ssl_client",
+		Version:   "1.35.0-r17",
+		Type:      "apk",
+		Locations: apkgdbLocation,
+		Licenses:  []string{"GPL-2.0-only"},
+		FoundBy:   "apkdb-cataloger",
+		PURL:      "pkg:apk/alpine/ssl_client@1.35.0-r17?arch=x86_64&upstream=busybox&distro=alpine-3.16.3",
+		CPEs: mustCPEs(
+			"cpe:2.3:a:ssl-client:ssl-client:1.35.0-r17:*:*:*:*:*:*:*",
+			"cpe:2.3:a:ssl-client:ssl_client:1.35.0-r17:*:*:*:*:*:*:*",
+			"cpe:2.3:a:ssl_client:ssl-client:1.35.0-r17:*:*:*:*:*:*:*",
+			"cpe:2.3:a:ssl_client:ssl_client:1.35.0-r17:*:*:*:*:*:*:*",
+			"cpe:2.3:a:ssl:ssl-client:1.35.0-r17:*:*:*:*:*:*:*",
+			"cpe:2.3:a:ssl:ssl_client:1.35.0-r17:*:*:*:*:*:*:*",
+		),
+	}
+
+	baseLayout := pkg.Package{
+		Name:      "alpine-baselayout",
+		Version:   "3.2.0-r23",
+		Type:      "apk",
+		Locations: apkgdbLocation,
+		Licenses:  []string{"GPL-2.0-only"},
+		FoundBy:   "apkdb-cataloger",
+		PURL:      "pkg:apk/alpine/alpine-baselayout@3.2.0-r23?arch=x86_64&upstream=alpine-baselayout&distro=alpine-3.16.3",
+		CPEs: mustCPEs(
+			"cpe:2.3:a:alpine-baselayout:alpine-baselayout:3.2.0-r23:*:*:*:*:*:*:*",
+			"cpe:2.3:a:alpine-baselayout:alpine_baselayout:3.2.0-r23:*:*:*:*:*:*:*",
+			"cpe:2.3:a:alpine_baselayout:alpine-baselayout:3.2.0-r23:*:*:*:*:*:*:*",
+			"cpe:2.3:a:alpine_baselayout:alpine_baselayout:3.2.0-r23:*:*:*:*:*:*:*",
+			"cpe:2.3:a:alpine:alpine-baselayout:3.2.0-r23:*:*:*:*:*:*:*",
+			"cpe:2.3:a:alpine:alpine_baselayout:3.2.0-r23:*:*:*:*:*:*:*",
+		),
+	}
+
+	busybox := pkg.Package{
+		Name:      "busybox",
+		Version:   "1.35.0-r17",
+		Type:      "apk",
+		Locations: apkgdbLocation,
+		Licenses:  []string{"GPL-2.0-only"},
+		FoundBy:   "apkdb-cataloger",
+		PURL:      "pkg:apk/alpine/busybox@1.35.0-r17?arch=x86_64&upstream=busybox&distro=alpine-3.16.3",
+		CPEs: mustCPEs(
+			"cpe:2.3:a:busybox:busybox:1.35.0-r17:*:*:*:*:*:*:*",
+		),
+	}
+
+	musl := pkg.Package{
+		Name:      "musl",
+		Version:   "1.2.3-r1",
+		Type:      "apk",
+		Locations: apkgdbLocation,
+		Licenses:  []string{"MIT"},
+		FoundBy:   "apkdb-cataloger",
+		PURL:      "pkg:apk/alpine/musl@1.2.3-r1?arch=x86_64&upstream=musl&distro=alpine-3.16.3",
+		CPEs: mustCPEs(
+			"cpe:2.3:a:musl:musl:1.2.3-r1:*:*:*:*:*:*:*",
+		),
+	}
+
+	expectedRelationships := []artifact.Relationship{
+		{
+			From: libSSL,
+			To:   sslClient,
+			Type: artifact.DependencyOfRelationship,
+		},
+		{
+			From: libSSL,
+			To: source.Coordinates{
+				RealPath:     "/lib/libssl.so.1.1",
+				FileSystemID: "sha256:e5e13b0c77cbb769548077189c3da2f0a764ceca06af49d8d558e759f5c232bd",
+			},
+			Type: artifact.ContainsRelationship,
+		},
+		{
+			From: busybox,
+			To:   baseLayout,
+			Type: artifact.DependencyOfRelationship,
+		},
+		{
+			From: baseLayout,
+			To: source.Coordinates{
+				RealPath:     "/etc/profile.d/color_prompt.sh.disabled",
+				FileSystemID: "sha256:e5e13b0c77cbb769548077189c3da2f0a764ceca06af49d8d558e759f5c232bd",
+			},
+			Type: artifact.ContainsRelationship,
+		},
+		{
+			From: baseLayout,
+			To: source.Coordinates{
+				RealPath:     "/etc/modprobe.d/kms.conf",
+				FileSystemID: "sha256:e5e13b0c77cbb769548077189c3da2f0a764ceca06af49d8d558e759f5c232bd",
+			},
+			Type: artifact.ContainsRelationship,
+		},
+		{
+			From: musl,
+			To:   libSSL,
+			Type: artifact.DependencyOfRelationship,
+		},
+	}
 
 	for _, p := range expectedPkgs {
 		expectedRelationships = append(expectedRelationships, artifact.Relationship{
-Original file line number
+Diff line change
@@ Expand Up @@
     			t.Errorf("unexpected packages from parsing (-expected +actual)\n%s", diff)
     		}
     	}
     	{
     		var r diffReporter
     		var opts []cmp.Option
@@ Expand Down @@