Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: further improvements to CPE generation for apk packages #1623

Merged
merged 19 commits into from
Feb 27, 2023

Conversation

westonsteimel
Copy link
Contributor

Adds many known CPE vendor candidates to APK CPE generation as well as using known project URL prefixes from APK metadata to generate known vendor candidates. Eventually we might be able to remove some of the overrides in candidate_by_packages_type.go and rely on the URL logic; however, currently apks installed from Wolfi don't include any URL info, so we will retain them for now.

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
@github-actions
Copy link

github-actions bot commented Feb 24, 2023

Benchmark Test Results

Benchmark results from the latest changes vs base branch
goos: linux
goarch: amd64
pkg: github.com/anchore/syft/test/integration
cpu: Intel(R) Xeon(R) Platinum 8370C CPU @ 2.80GHz
                                                          │ ./.tmp/benchmark-d560742.txt │
                                                          │            sec/op            │
ImagePackageCatalogers/alpmdb-cataloger-2                                   11.86m ± 23%
ImagePackageCatalogers/ruby-gemspec-cataloger-2                             844.8µ ±  2%
ImagePackageCatalogers/python-package-cataloger-2                           3.044m ±  2%
ImagePackageCatalogers/php-composer-installed-cataloger-2                   648.5µ ±  1%
ImagePackageCatalogers/javascript-package-cataloger-2                       346.6µ ±  1%
ImagePackageCatalogers/dpkgdb-cataloger-2                                   463.9µ ±  1%
ImagePackageCatalogers/rpm-db-cataloger-2                                   438.1µ ±  1%
ImagePackageCatalogers/java-cataloger-2                                     10.54m ±  3%
ImagePackageCatalogers/graalvm-native-image-cataloger-2                     7.931µ ±  3%
ImagePackageCatalogers/apkdb-cataloger-2                                    790.5µ ±  1%
ImagePackageCatalogers/go-module-binary-cataloger-2                         18.11µ ±  1%
ImagePackageCatalogers/dotnet-deps-cataloger-2                              950.6µ ±  1%
ImagePackageCatalogers/portage-cataloger-2                                  287.8µ ± 10%
ImagePackageCatalogers/sbom-cataloger-2                                     102.7µ ±  0%
ImagePackageCatalogers/binary-cataloger-2                                   143.8µ ±  1%
geomean                                                                     452.1µ

                                                          │ ./.tmp/benchmark-d560742.txt │
                                                          │             B/op             │
ImagePackageCatalogers/alpmdb-cataloger-2                                   5.060Mi ± 0%
ImagePackageCatalogers/ruby-gemspec-cataloger-2                             141.9Ki ± 0%
ImagePackageCatalogers/python-package-cataloger-2                           947.2Ki ± 0%
ImagePackageCatalogers/php-composer-installed-cataloger-2                   155.9Ki ± 0%
ImagePackageCatalogers/javascript-package-cataloger-2                       95.99Ki ± 0%
ImagePackageCatalogers/dpkgdb-cataloger-2                                   144.6Ki ± 0%
ImagePackageCatalogers/rpm-db-cataloger-2                                   170.8Ki ± 0%
ImagePackageCatalogers/java-cataloger-2                                     2.725Mi ± 0%
ImagePackageCatalogers/graalvm-native-image-cataloger-2                     1.523Ki ± 0%
ImagePackageCatalogers/apkdb-cataloger-2                                    207.7Ki ± 0%
ImagePackageCatalogers/go-module-binary-cataloger-2                         3.102Ki ± 0%
ImagePackageCatalogers/dotnet-deps-cataloger-2                              314.1Ki ± 0%
ImagePackageCatalogers/portage-cataloger-2                                  75.53Ki ± 0%
ImagePackageCatalogers/sbom-cataloger-2                                     13.06Ki ± 0%
ImagePackageCatalogers/binary-cataloger-2                                   21.20Ki ± 0%
geomean                                                                     110.8Ki

                                                          │ ./.tmp/benchmark-d560742.txt │
                                                          │          allocs/op           │
ImagePackageCatalogers/alpmdb-cataloger-2                                    86.71k ± 0%
ImagePackageCatalogers/ruby-gemspec-cataloger-2                              2.159k ± 0%
ImagePackageCatalogers/python-package-cataloger-2                            15.48k ± 0%
ImagePackageCatalogers/php-composer-installed-cataloger-2                    3.457k ± 0%
ImagePackageCatalogers/javascript-package-cataloger-2                        1.253k ± 0%
ImagePackageCatalogers/dpkgdb-cataloger-2                                    2.646k ± 0%
ImagePackageCatalogers/rpm-db-cataloger-2                                    3.759k ± 0%
ImagePackageCatalogers/java-cataloger-2                                      38.26k ± 0%
ImagePackageCatalogers/graalvm-native-image-cataloger-2                       40.00 ± 0%
ImagePackageCatalogers/apkdb-cataloger-2                                     5.000k ± 0%
ImagePackageCatalogers/go-module-binary-cataloger-2                           101.0 ± 0%
ImagePackageCatalogers/dotnet-deps-cataloger-2                               5.010k ± 0%
ImagePackageCatalogers/portage-cataloger-2                                   1.487k ± 0%
ImagePackageCatalogers/sbom-cataloger-2                                       392.0 ± 0%
ImagePackageCatalogers/binary-cataloger-2                                     649.0 ± 0%
geomean                                                                      2.243k

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
@westonsteimel westonsteimel force-pushed the apk-cpe-gen-improvements branch from d49951a to ac012d9 Compare February 25, 2023 10:05
GijsCalis pushed a commit to GijsCalis/syft that referenced this pull request Feb 19, 2024
…#1623)

* fix: consider upstream logic during apk cpe gen
* fix: correct apk CPE for go
* fix: correct apk CPE for ruby
* fix: correct apk CPE for bazel
* fix: correct apk CPE for clang
* fix: correct apk CPE for openjdk
* fix: correct apk CPE for glibc
* fix: correct apk CPE for gli
* fix: correct apk CPE for bas
* fix: correct apk CPE for alsa-lib
* fix: correct apk CPE for alsa
* fix: determine apk cpe vendor from known URLs
* fix: add more url prefix->vendor mappings for apk
* refactor: allow reuse of vendor by url prefix logic
* feat: extract username as vendor candidate from github/gitlab

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants