Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Respond to authoratative CPEs from catalogers #3166

Merged
merged 1 commit into from
Aug 27, 2024
Merged

Respond to authoratative CPEs from catalogers #3166

merged 1 commit into from
Aug 27, 2024

Conversation

wagoodman
Copy link
Contributor

Today if a cataloger happens to find a CPE and attach it to the package, and we're configured to generate CPEs, we blindly add additional CPEs next to the other CPEs found. In reality, if the cataloger already has found an authoritative CPE, we should prefer that value over any we would typically generate --this PR changes the behavior to this.

Before:

❯ go run ./cmd/syft ~/scratch/curl -o json | jq '.artifacts[] '
{
  "id": "0d29b58484d4ecfb",
  "name": "curl",
  "version": "8.9.1",
  "type": "binary",
  "foundBy": "binary-classifier-cataloger",
  ...
  "cpes": [
    {
      "cpe": "cpe:2.3:a:haxx:curl:8.9.1:*:*:*:*:*:*:*",
      "source": "nvd-cpe-dictionary"
    },
    {
      "cpe": "cpe:2.3:a:curl:curl:8.9.1:*:*:*:*:*:*:*",
      "source": "syft-generated"
    }
  ],
  "purl": "pkg:generic/curl@8.9.1",
  "metadataType": "binary-signature",
  ...
}

After:

❯ go run ./cmd/syft ~/scratch/curl -o json | jq '.artifacts[] '
{
  "id": "0d29b58484d4ecfb",
  "name": "curl",
  "version": "8.9.1",
  "type": "binary",
  "foundBy": "binary-classifier-cataloger",
  ...
  "cpes": [
    {
      "cpe": "cpe:2.3:a:haxx:curl:8.9.1:*:*:*:*:*:*:*",
      "source": "nvd-cpe-dictionary"
    }
  ],
  "purl": "pkg:generic/curl@8.9.1",
  "metadataType": "binary-signature",
  ...
}

@wagoodman wagoodman added the bug Something isn't working label Aug 27, 2024
@wagoodman
respond to authoratative CPEs from catalogers
58e1a41 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
@wagoodman wagoodman force-pushed the allow-for-authoratative-cpes-from-catalogers branch from 2c69891 to 58e1a41 Compare August 27, 2024 13:24
@wagoodman wagoodman requested a review from a team August 27, 2024 13:25
@wagoodman wagoodman merged commit e9a8c27 into main Aug 27, 2024
11 checks passed
@wagoodman wagoodman deleted the allow-for-authoratative-cpes-from-catalogers branch August 27, 2024 14:26
@westonsteimel westonsteimel mentioned this pull request Aug 27, 2024
Merged
@BrewTestBot BrewTestBot mentioned this pull request Sep 11, 2024
Merged
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@westonsteimel westonsteimel westonsteimel approved these changes

Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@wagoodman @westonsteimel