Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Add compliance policy for empty name and version #3257

Merged
merged 3 commits into from
Sep 20, 2024
Merged

Add compliance policy for empty name and version #3257

merged 3 commits into from
Sep 20, 2024

Conversation

wagoodman
Copy link
Contributor

@wagoodman wagoodman commented Sep 19, 2024
edited
Loading

Adds a new compliance configuration to handle what to do when there is a missing name or version:

compliance:
  # action to take when a package is missing a name (env: SYFT_COMPLIANCE_MISSING_NAME)
  missing-name: 'drop'
  
  # action to take when a package is missing a version (env: SYFT_COMPLIANCE_MISSING_VERSION)
  missing-version: 'stub'

Above are the default values, but the possible values a user can put in are:

  • keep, add a trace log but the non-compliant package is still added to the SBOM
  • drop, exclude the package from results, add a debug log
  • stub, replace the non-compliant empty value with UNKNOWN

Open questions:

  1. configuration-wise should this land within the pkgcataloging package? (instead of the cataloging package?)

Closes #2132
Closes #2652
Closes #2038
Closes #2039

@wagoodman
add policy for empty name and version
ee8d796 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
@kzantow
Copy link
Contributor

kzantow commented Sep 19, 2024

One observation: once the known-unknowns lands perhaps some of these options would go away / change? E.g. a user could surface something in the files section with something like:

/package.json
  unknowns: dropped package due to missing name

@wagoodman

This comment was marked as outdated.

# to view
@wagoodman
default stub version
4f0132a 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
@wagoodman wagoodman mentioned this pull request Sep 19, 2024
Open
@wagoodman
modifying ids requires augmenting relationships
9d281d1 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
@wagoodman wagoodman marked this pull request as ready for review September 19, 2024 20:54
@spiffcs
Copy link
Contributor

spiffcs commented Sep 20, 2024

I think the config placement and package organization is correct here from and API standpoint so 🟢 from me. Was there any other discussion you wanted @wagoodman on this PR?

@wagoodman wagoodman added the enhancement New feature or request label Sep 20, 2024
@wagoodman wagoodman merged commit 963ea59 into main Sep 20, 2024
12 checks passed
@wagoodman wagoodman deleted the empty-name-version branch September 20, 2024 16:50
@BrewTestBot BrewTestBot mentioned this pull request Sep 24, 2024
Merged
luhring added a commit to wolfi-dev/wolfictl that referenced this pull request Sep 25, 2024
@luhring
update golden files
2cc08c0 
Looks like just "UNKNOWN" being added to existing packages, likely from anchore/syft#3257.

Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
@willmurphyscode willmurphyscode mentioned this pull request Sep 30, 2024
Open
spiffcs added a commit that referenced this pull request Oct 2, 2024
@spiffcs
Merge branch 'main' into fix-cpe-validation
7a6ea44 
* main: (343 commits)
  feat: update haproxy classifier (#3277)
  chore(deps): update tools to latest versions (#3291)
  fix: don't use builtin scanner in licensecheck (#3290)
  chore(deps): update CPE dictionary index (#3288)
  chore(deps): bump github/codeql-action from 3.26.9 to 3.26.10 (#3289)
  update redis classifier (#3281)
  fix: improve node classifier version matching (#3284)
  fix: update ruby classifier for -rc, -dev, etc. versions (#3285)
  chore(deps): update CPE dictionary index (#3262)
  chore(deps): bump github.com/docker/docker (#3264)
  chore(deps): bump github/codeql-action from 3.26.8 to 3.26.9 (#3275)
  chore(deps): update stereoscope to dc10ea61fd18efa45b516eda4de8bc19d8322429 (#3280)
  chore(deps): bump actions/checkout from 4.1.7 to 4.2.0 (#3283)
  add awaiting response management (#3272)
  fix: correct excluded mount point comparison to file paths (#3269)
  Add JVM cataloger (#3217)
  feat: classifier for Dart lang binaries (#3265)
  Add compliance policy for empty name and version (#3257)
  chore(deps): bump github.com/github/go-spdx/v2 from 2.3.1 to 2.3.2 (#3254)
  chore(deps): bump peter-evans/create-pull-request from 7.0.3 to 7.0.5 (#3255)
  ...
@willmurphyscode willmurphyscode mentioned this pull request Oct 5, 2024
Closed
@willmurphyscode willmurphyscode mentioned this pull request Oct 14, 2024
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@spiffcs spiffcs spiffcs approved these changes

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
3 participants
@wagoodman @kzantow @spiffcs