Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RPM-based PURLs sometimes have incorrect namespace (specifically OpenSUSE) #3534

Open
njv299 opened this issue Dec 17, 2024 · 0 comments · May be fixed by #3615
Open

RPM-based PURLs sometimes have incorrect namespace (specifically OpenSUSE) #3534

njv299 opened this issue Dec 17, 2024 · 0 comments · May be fixed by #3615
Labels
bug Something isn't working good-first-issue Good for newcomers

Comments

@njv299
Copy link
Contributor

njv299 commented Dec 17, 2024

What happened:

Packages created based on RPM database information (such as those from OpenSUSE) sometimes contain incorrect PURL namespace values.

For example, running Syft against the opensuse/leap:15.6 official Docker image produces PURLs similar to the following:

pkg:rpm/opensuse-leap/bash-sh@4.4-150400.25.22?arch=x86_64&distro=opensuse-leap-15.6&upstream=bash-4.4-150400.25.22.src.rpm
pkg:rpm/opensuse-leap/boost-license1_66_0@1.66.0-12.3.1?arch=noarch&distro=opensuse-leap-15.6&upstream=boost-base-1.66.0-12.3.1.src.rpm
pkg:rpm/opensuse-leap/libpsl5@0.20.1-150000.3.3.1?arch=x86_64&distro=opensuse-leap-15.6&upstream=libpsl-0.20.1-150000.3.3.1.src.rpm

While there aren't any 'official' documents detailing what the PURL namespace field should be, it appears that the expected value for OpenSUSE Leap is just opensuse, and 'Leap 15.6' should be encoded into the distro qualifier (as it correctly is in the above-mentioned cases).

The supporting evidence I have found for the 'correct' namespace simply being opensuse is:

  • The one opensuse example PURL on the official PURL spec github page:
    pkg:rpm/opensuse/curl@7.56.1-1.1.?arch=i386&distro=opensuse-tumbleweed
  • The OpenSUSE PURL entries that currently exist on osv.dev such as this one:
    pkg:rpm/opensuse/libaom-devel-doc&distro=openSUSE%20Leap%2015.5

It appears that the Syft logic to generate PURLs for such packages simply uses the value of Distro.ID verbatim, with the exception of translating rhel to redhat. I believe that the most straightforward fix would be to add an additional check, something along the lines of "if the Distro.ID value starts with opensuse, set the namespace to be opensuse".

This same issue likely applies to other RPM-based systems (it all depends on how the Distro.ID values they use correspond to the expected PURL namespace values), but I haven't done any additional research yet into other distros.

What you expected to happen:

The PURL namespace value for all OpenSUSE packages should be opensuse.

Other RPM-based distros should be evaluated to determine if similar issues apply to them.

Steps to reproduce the issue:

Run Syft against the official opensuse/leap:15.6 docker image.

@njv299 njv299 added the bug Something isn't working label Dec 17, 2024
@wagoodman wagoodman moved this to Ready in OSS Jan 8, 2025
@kzantow kzantow added the good-first-issue Good for newcomers label Jan 8, 2025
mprpic added a commit to mprpic/syft that referenced this issue Jan 23, 2025
Instead of namespacing them to the specific distro version, such as
Leap or Tumbleweed, the namespace value is set to the vendor itself:
"opensuse".

Resolves anchore#3534

Signed-off-by: Martin Prpič <mprpic@redhat.com>
@mprpic mprpic linked a pull request Jan 23, 2025 that will close this issue
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working good-first-issue Good for newcomers
Projects
Status: Ready
Development

Successfully merging a pull request may close this issue.

2 participants