fix: retain sbom cataloger relationships (#1509)

Signed-off-by: Eitan Goldenstein <eitan@scribesecurity.com> Co-authored-by: Eitan Goldenstein <eitan@scribesecurity.com>
2024-11-10 06:14:16 +00:00 · 2023-05-15 16:57:21 +03:00 · 2023-05-15 16:57:21 +03:00 · b4ed599481
commit b4ed599481
parent e925d9d4a5
4 changed files with 129 additions and 528 deletions
--- a/syft/pkg/cataloger/internal/pkgtest/test_generic_parser.go
+++ b/syft/pkg/cataloger/internal/pkgtest/test_generic_parser.go
@ -247,7 +247,6 @@ func (p *CatalogTester) assertPkgs(t *testing.T, pkgs []pkg.Package, relationshi
 			t.Errorf("unexpected packages from parsing (-expected +actual)\n%s", diff)
 		}
 	}
-
 	{
 		var r diffReporter
 		var opts []cmp.Option
--- a/syft/pkg/cataloger/sbom/cataloger.go
+++ b/syft/pkg/cataloger/sbom/cataloger.go
@ -41,7 +41,7 @@ func parseSBOM(_ source.FileResolver, _ *generic.Environment, reader source.Loca
 	}

 	var pkgs []pkg.Package
-	var relationships []artifact.Relationship
+	relationships := s.Relationships
 	for _, p := range s.Artifacts.Packages.Sorted() {
 		// replace all locations on the package with the location of the SBOM file.
 		// Why not keep the original list of locations? Since the "locations" field is meant to capture
--- a/syft/pkg/cataloger/sbom/cataloger_test.go
+++ b/syft/pkg/cataloger/sbom/cataloger_test.go
@ -252,7 +252,131 @@ func Test_parseSBOM(t *testing.T) {
 		},
 	}

-	var expectedRelationships []artifact.Relationship
+	apkgdbLocation := source.NewLocationSet(source.Location{
+		LocationData: source.LocationData{
+			Coordinates: source.Coordinates{
+				RealPath:     "/lib/apk/db/installed",
+				FileSystemID: "sha256:e5e13b0c77cbb769548077189c3da2f0a764ceca06af49d8d558e759f5c232bd",
+			},
+		},
+	})
+
+	libSSL := pkg.Package{
+		Name:      "libssl1.1",
+		Version:   "1.1.1s-r0",
+		Type:      "apk",
+		Locations: apkgdbLocation,
+		Licenses:  []string{"OpenSSL"},
+		FoundBy:   "apkdb-cataloger",
+		PURL:      "pkg:apk/alpine/libssl1.1@1.1.1s-r0?arch=x86_64&upstream=openssl&distro=alpine-3.16.3",
+		CPEs: mustCPEs(
+			"cpe:2.3:a:libssl1.1:libssl1.1:1.1.1s-r0:*:*:*:*:*:*:*",
+		),
+	}
+
+	sslClient := pkg.Package{
+		Name:      "ssl_client",
+		Version:   "1.35.0-r17",
+		Type:      "apk",
+		Locations: apkgdbLocation,
+		Licenses:  []string{"GPL-2.0-only"},
+		FoundBy:   "apkdb-cataloger",
+		PURL:      "pkg:apk/alpine/ssl_client@1.35.0-r17?arch=x86_64&upstream=busybox&distro=alpine-3.16.3",
+		CPEs: mustCPEs(
+			"cpe:2.3:a:ssl-client:ssl-client:1.35.0-r17:*:*:*:*:*:*:*",
+			"cpe:2.3:a:ssl-client:ssl_client:1.35.0-r17:*:*:*:*:*:*:*",
+			"cpe:2.3:a:ssl_client:ssl-client:1.35.0-r17:*:*:*:*:*:*:*",
+			"cpe:2.3:a:ssl_client:ssl_client:1.35.0-r17:*:*:*:*:*:*:*",
+			"cpe:2.3:a:ssl:ssl-client:1.35.0-r17:*:*:*:*:*:*:*",
+			"cpe:2.3:a:ssl:ssl_client:1.35.0-r17:*:*:*:*:*:*:*",
+		),
+	}
+
+	baseLayout := pkg.Package{
+		Name:      "alpine-baselayout",
+		Version:   "3.2.0-r23",
+		Type:      "apk",
+		Locations: apkgdbLocation,
+		Licenses:  []string{"GPL-2.0-only"},
+		FoundBy:   "apkdb-cataloger",
+		PURL:      "pkg:apk/alpine/alpine-baselayout@3.2.0-r23?arch=x86_64&upstream=alpine-baselayout&distro=alpine-3.16.3",
+		CPEs: mustCPEs(
+			"cpe:2.3:a:alpine-baselayout:alpine-baselayout:3.2.0-r23:*:*:*:*:*:*:*",
+			"cpe:2.3:a:alpine-baselayout:alpine_baselayout:3.2.0-r23:*:*:*:*:*:*:*",
+			"cpe:2.3:a:alpine_baselayout:alpine-baselayout:3.2.0-r23:*:*:*:*:*:*:*",
+			"cpe:2.3:a:alpine_baselayout:alpine_baselayout:3.2.0-r23:*:*:*:*:*:*:*",
+			"cpe:2.3:a:alpine:alpine-baselayout:3.2.0-r23:*:*:*:*:*:*:*",
+			"cpe:2.3:a:alpine:alpine_baselayout:3.2.0-r23:*:*:*:*:*:*:*",
+		),
+	}
+
+	busybox := pkg.Package{
+		Name:      "busybox",
+		Version:   "1.35.0-r17",
+		Type:      "apk",
+		Locations: apkgdbLocation,
+		Licenses:  []string{"GPL-2.0-only"},
+		FoundBy:   "apkdb-cataloger",
+		PURL:      "pkg:apk/alpine/busybox@1.35.0-r17?arch=x86_64&upstream=busybox&distro=alpine-3.16.3",
+		CPEs: mustCPEs(
+			"cpe:2.3:a:busybox:busybox:1.35.0-r17:*:*:*:*:*:*:*",
+		),
+	}
+
+	musl := pkg.Package{
+		Name:      "musl",
+		Version:   "1.2.3-r1",
+		Type:      "apk",
+		Locations: apkgdbLocation,
+		Licenses:  []string{"MIT"},
+		FoundBy:   "apkdb-cataloger",
+		PURL:      "pkg:apk/alpine/musl@1.2.3-r1?arch=x86_64&upstream=musl&distro=alpine-3.16.3",
+		CPEs: mustCPEs(
+			"cpe:2.3:a:musl:musl:1.2.3-r1:*:*:*:*:*:*:*",
+		),
+	}
+
+	expectedRelationships := []artifact.Relationship{
+		{
+			From: libSSL,
+			To:   sslClient,
+			Type: artifact.DependencyOfRelationship,
+		},
+		{
+			From: libSSL,
+			To: source.Coordinates{
+				RealPath:     "/lib/libssl.so.1.1",
+				FileSystemID: "sha256:e5e13b0c77cbb769548077189c3da2f0a764ceca06af49d8d558e759f5c232bd",
+			},
+			Type: artifact.ContainsRelationship,
+		},
+		{
+			From: busybox,
+			To:   baseLayout,
+			Type: artifact.DependencyOfRelationship,
+		},
+		{
+			From: baseLayout,
+			To: source.Coordinates{
+				RealPath:     "/etc/profile.d/color_prompt.sh.disabled",
+				FileSystemID: "sha256:e5e13b0c77cbb769548077189c3da2f0a764ceca06af49d8d558e759f5c232bd",
+			},
+			Type: artifact.ContainsRelationship,
+		},
+		{
+			From: baseLayout,
+			To: source.Coordinates{
+				RealPath:     "/etc/modprobe.d/kms.conf",
+				FileSystemID: "sha256:e5e13b0c77cbb769548077189c3da2f0a764ceca06af49d8d558e759f5c232bd",
+			},
+			Type: artifact.ContainsRelationship,
+		},
+		{
+			From: musl,
+			To:   libSSL,
+			Type: artifact.DependencyOfRelationship,
+		},
+	}

 	for _, p := range expectedPkgs {
 		expectedRelationships = append(expectedRelationships, artifact.Relationship{
--- a/syft/pkg/cataloger/sbom/test-fixtures/alpine/syft-json/sbom.syft.json
+++ b/syft/pkg/cataloger/sbom/test-fixtures/alpine/syft-json/sbom.syft.json
@ -2020,11 +2020,6 @@
  }
 ],
 "artifactRelationships": [
-  {
-   "parent": "1455a8342bbb31ff",
-   "child": "42d502b764a37310",
-   "type": "dependency-of"
-  },
  {
   "parent": "1455a8342bbb31ff",
   "child": "674d1e2fba4d633a",
@ -2035,71 +2030,13 @@
   "child": "bf6955e2941356b2",
   "type": "contains"
  },
-  {
-   "parent": "206fdb47b3e980eb",
-   "child": "716efe160a925698",
-   "type": "dependency-of"
-  },
-  {
-   "parent": "206fdb47b3e980eb",
-   "child": "ae378054cbd7ef90",
-   "type": "contains"
-  },
-  {
-   "parent": "30622a1848b22bca",
-   "child": "42d502b764a37310",
-   "type": "dependency-of"
-  },
-  {
-   "parent": "30622a1848b22bca",
-   "child": "f2d3dfa05f2554a0",
-   "type": "contains"
-  },
-  {
-   "parent": "42d502b764a37310",
-   "child": "6a92934c972808b8",
-   "type": "contains"
-  },
-  {
-   "parent": "42d502b764a37310",
-   "child": "b04bc3289bb54853",
-   "type": "contains"
-  },
-  {
-   "parent": "4b48ef6f6b983526",
-   "child": "231e2b9b768a1fff",
-   "type": "contains"
-  },
-  {
-   "parent": "4b48ef6f6b983526",
-   "child": "51a0badf3b704202",
-   "type": "contains"
-  },
+ 
  {
   "parent": "4b48ef6f6b983526",
   "child": "61eac5ce8105d394",
   "type": "dependency-of"
  },
-  {
-   "parent": "4b48ef6f6b983526",
-   "child": "78bf055cad090d65",
-   "type": "contains"
-  },
-  {
-   "parent": "4b48ef6f6b983526",
-   "child": "7b5d21b40bc7eee7",
-   "type": "contains"
-  },
-  {
-   "parent": "4b48ef6f6b983526",
-   "child": "91817eca9cc4b5de",
-   "type": "contains"
-  },
-  {
-   "parent": "4b48ef6f6b983526",
-   "child": "a2c9b7dd9588eed5",
-   "type": "contains"
-  },
+ 
  {
   "parent": "61eac5ce8105d394",
   "child": "2a20bd42108d699a",
@ -2110,470 +2047,11 @@
   "child": "3617fb189dce6482",
   "type": "contains"
  },
-  {
-   "parent": "61eac5ce8105d394",
-   "child": "3b5675f91b90110",
-   "type": "contains"
-  },
-  {
-   "parent": "61eac5ce8105d394",
-   "child": "6407d5cf424b18ad",
-   "type": "contains"
-  },
-  {
-   "parent": "61eac5ce8105d394",
-   "child": "7e87ca025472176a",
-   "type": "contains"
-  },
-  {
-   "parent": "61eac5ce8105d394",
-   "child": "84e95c181a3977e9",
-   "type": "contains"
-  },
-  {
-   "parent": "61eac5ce8105d394",
-   "child": "9ce07ed49f8fb925",
-   "type": "contains"
-  },
-  {
-   "parent": "61eac5ce8105d394",
-   "child": "b83f6a50a3bd4519",
-   "type": "contains"
-  },
-  {
-   "parent": "61eac5ce8105d394",
-   "child": "c7d306fe1c6785c7",
-   "type": "contains"
-  },
-  {
-   "parent": "61eac5ce8105d394",
-   "child": "c82217b71778b876",
-   "type": "contains"
-  },
-  {
-   "parent": "61eac5ce8105d394",
-   "child": "e6b17bb11a720679",
-   "type": "contains"
-  },
+  
  {
   "parent": "64efc8a629f13d02",
   "child": "1455a8342bbb31ff",
   "type": "dependency-of"
-  },
-  {
-   "parent": "64efc8a629f13d02",
-   "child": "206fdb47b3e980eb",
-   "type": "dependency-of"
-  },
-  {
-   "parent": "64efc8a629f13d02",
-   "child": "42d502b764a37310",
-   "type": "dependency-of"
-  },
-  {
-   "parent": "64efc8a629f13d02",
-   "child": "42d502b764a37310",
-   "type": "dependency-of"
-  },
-  {
-   "parent": "64efc8a629f13d02",
-   "child": "4b48ef6f6b983526",
-   "type": "dependency-of"
-  },
-  {
-   "parent": "64efc8a629f13d02",
-   "child": "4c909bab2f47ab6",
-   "type": "contains"
-  },
-  {
-   "parent": "64efc8a629f13d02",
-   "child": "61eac5ce8105d394",
-   "type": "dependency-of"
-  },
-  {
-   "parent": "64efc8a629f13d02",
-   "child": "674d1e2fba4d633a",
-   "type": "dependency-of"
-  },
-  {
-   "parent": "64efc8a629f13d02",
-   "child": "716efe160a925698",
-   "type": "dependency-of"
-  },
-  {
-   "parent": "64efc8a629f13d02",
-   "child": "75f0d92f695b4303",
-   "type": "dependency-of"
-  },
-  {
-   "parent": "64efc8a629f13d02",
-   "child": "8184c2647c8f0bf1",
-   "type": "dependency-of"
-  },
-  {
-   "parent": "674d1e2fba4d633a",
-   "child": "dfa8a561b5b9eed",
-   "type": "contains"
-  },
-  {
-   "parent": "6b7f97b22b59a2c6bc62354f00df8dcafb8a32716bc958a788a7004e0a391232",
-   "child": "1455a8342bbb31ff",
-   "type": "contains"
-  },
-  {
-   "parent": "6b7f97b22b59a2c6bc62354f00df8dcafb8a32716bc958a788a7004e0a391232",
-   "child": "206fdb47b3e980eb",
-   "type": "contains"
-  },
-  {
-   "parent": "6b7f97b22b59a2c6bc62354f00df8dcafb8a32716bc958a788a7004e0a391232",
-   "child": "2abd3b45f6fa4702",
-   "type": "contains"
-  },
-  {
-   "parent": "6b7f97b22b59a2c6bc62354f00df8dcafb8a32716bc958a788a7004e0a391232",
-   "child": "30622a1848b22bca",
-   "type": "contains"
-  },
-  {
-   "parent": "6b7f97b22b59a2c6bc62354f00df8dcafb8a32716bc958a788a7004e0a391232",
-   "child": "42d502b764a37310",
-   "type": "contains"
-  },
-  {
-   "parent": "6b7f97b22b59a2c6bc62354f00df8dcafb8a32716bc958a788a7004e0a391232",
-   "child": "4b48ef6f6b983526",
-   "type": "contains"
-  },
-  {
-   "parent": "6b7f97b22b59a2c6bc62354f00df8dcafb8a32716bc958a788a7004e0a391232",
-   "child": "61eac5ce8105d394",
-   "type": "contains"
-  },
-  {
-   "parent": "6b7f97b22b59a2c6bc62354f00df8dcafb8a32716bc958a788a7004e0a391232",
-   "child": "64efc8a629f13d02",
-   "type": "contains"
-  },
-  {
-   "parent": "6b7f97b22b59a2c6bc62354f00df8dcafb8a32716bc958a788a7004e0a391232",
-   "child": "674d1e2fba4d633a",
-   "type": "contains"
-  },
-  {
-   "parent": "6b7f97b22b59a2c6bc62354f00df8dcafb8a32716bc958a788a7004e0a391232",
-   "child": "716efe160a925698",
-   "type": "contains"
-  },
-  {
-   "parent": "6b7f97b22b59a2c6bc62354f00df8dcafb8a32716bc958a788a7004e0a391232",
-   "child": "75f0d92f695b4303",
-   "type": "contains"
-  },
-  {
-   "parent": "6b7f97b22b59a2c6bc62354f00df8dcafb8a32716bc958a788a7004e0a391232",
-   "child": "8184c2647c8f0bf1",
-   "type": "contains"
-  },
-  {
-   "parent": "6b7f97b22b59a2c6bc62354f00df8dcafb8a32716bc958a788a7004e0a391232",
-   "child": "82d183eb300978cc",
-   "type": "contains"
-  },
-  {
-   "parent": "6b7f97b22b59a2c6bc62354f00df8dcafb8a32716bc958a788a7004e0a391232",
-   "child": "e8c6fcc3a282ed4f",
-   "type": "contains"
-  },
-  {
-   "parent": "716efe160a925698",
-   "child": "1b47e047a7a2d57c",
-   "type": "contains"
-  },
-  {
-   "parent": "716efe160a925698",
-   "child": "2abd3b45f6fa4702",
-   "type": "dependency-of"
-  },
-  {
-   "parent": "716efe160a925698",
-   "child": "72d84b54cc507273",
-   "type": "contains"
-  },
-  {
-   "parent": "716efe160a925698",
-   "child": "88f42084360d15dc",
-   "type": "contains"
-  },
-  {
-   "parent": "716efe160a925698",
-   "child": "e0f2d4db60a9b798",
-   "type": "contains"
-  },
-  {
-   "parent": "716efe160a925698",
-   "child": "e4f8a4c0b073c8bc",
-   "type": "contains"
-  },
-  {
-   "parent": "75f0d92f695b4303",
-   "child": "42d502b764a37310",
-   "type": "dependency-of"
-  },
-  {
-   "parent": "75f0d92f695b4303",
-   "child": "52dc0abd8e7f5999",
-   "type": "contains"
-  },
-  {
-   "parent": "8184c2647c8f0bf1",
-   "child": "1455a8342bbb31ff",
-   "type": "dependency-of"
-  },
-  {
-   "parent": "8184c2647c8f0bf1",
-   "child": "287e44a117aa6396",
-   "type": "contains"
-  },
-  {
-   "parent": "8184c2647c8f0bf1",
-   "child": "2ea8f53adecae6f3",
-   "type": "contains"
-  },
-  {
-   "parent": "8184c2647c8f0bf1",
-   "child": "34a945b6fcfc9394",
-   "type": "contains"
-  },
-  {
-   "parent": "8184c2647c8f0bf1",
-   "child": "42d502b764a37310",
-   "type": "dependency-of"
-  },
-  {
-   "parent": "8184c2647c8f0bf1",
-   "child": "461f2cb164a4d9de",
-   "type": "contains"
-  },
-  {
-   "parent": "8184c2647c8f0bf1",
-   "child": "5217fc877d4a56a3",
-   "type": "contains"
-  },
-  {
-   "parent": "8184c2647c8f0bf1",
-   "child": "5b247851eb9d9920",
-   "type": "contains"
-  },
-  {
-   "parent": "8184c2647c8f0bf1",
-   "child": "629d9b60ae1d9e52",
-   "type": "contains"
-  },
-  {
-   "parent": "8184c2647c8f0bf1",
-   "child": "674d1e2fba4d633a",
-   "type": "dependency-of"
-  },
-  {
-   "parent": "8184c2647c8f0bf1",
-   "child": "7c76c319483f88f8",
-   "type": "contains"
-  },
-  {
-   "parent": "8184c2647c8f0bf1",
-   "child": "80d54a8d1cb02a6b",
-   "type": "contains"
-  },
-  {
-   "parent": "8184c2647c8f0bf1",
-   "child": "e90735c3db4c5cc",
-   "type": "contains"
-  },
-  {
-   "parent": "82d183eb300978cc",
-   "child": "202110ab27dcf973",
-   "type": "contains"
-  },
-  {
-   "parent": "82d183eb300978cc",
-   "child": "3078ae894cd9cfbd",
-   "type": "contains"
-  },
-  {
-   "parent": "82d183eb300978cc",
-   "child": "387bdef96b1af6e4",
-   "type": "contains"
-  },
-  {
-   "parent": "82d183eb300978cc",
-   "child": "388b915e3caf5f8b",
-   "type": "contains"
-  },
-  {
-   "parent": "82d183eb300978cc",
-   "child": "3d8ddf18e3124850",
-   "type": "contains"
-  },
-  {
-   "parent": "82d183eb300978cc",
-   "child": "44900ed9ce94fa9e",
-   "type": "contains"
-  },
-  {
-   "parent": "82d183eb300978cc",
-   "child": "487fe69baafa2d7e",
-   "type": "contains"
-  },
-  {
-   "parent": "82d183eb300978cc",
-   "child": "5353cb0dc92ea4b",
-   "type": "contains"
-  },
-  {
-   "parent": "82d183eb300978cc",
-   "child": "55708c7a7e686d62",
-   "type": "contains"
-  },
-  {
-   "parent": "82d183eb300978cc",
-   "child": "55e20144d113e62d",
-   "type": "contains"
-  },
-  {
-   "parent": "82d183eb300978cc",
-   "child": "59a8217f4f6c22a1",
-   "type": "contains"
-  },
-  {
-   "parent": "82d183eb300978cc",
-   "child": "68769d7fd3919789",
-   "type": "contains"
-  },
-  {
-   "parent": "82d183eb300978cc",
-   "child": "6a0ff9781347bfd9",
-   "type": "contains"
-  },
-  {
-   "parent": "82d183eb300978cc",
-   "child": "6fbe3c2a939ebbd2",
-   "type": "contains"
-  },
-  {
-   "parent": "82d183eb300978cc",
-   "child": "7e6812fc46b6a77",
-   "type": "contains"
-  },
-  {
-   "parent": "82d183eb300978cc",
-   "child": "983be5c7034a6165",
-   "type": "contains"
-  },
-  {
-   "parent": "82d183eb300978cc",
-   "child": "a01e0e5b23c3173d",
-   "type": "contains"
-  },
-  {
-   "parent": "82d183eb300978cc",
-   "child": "af97d47465df73a7",
-   "type": "contains"
-  },
-  {
-   "parent": "82d183eb300978cc",
-   "child": "c4944df811809487",
-   "type": "contains"
-  },
-  {
-   "parent": "82d183eb300978cc",
-   "child": "e041389ecc1c5526",
-   "type": "contains"
-  },
-  {
-   "parent": "82d183eb300978cc",
-   "child": "f02ff58080ad2795",
-   "type": "contains"
-  },
-  {
-   "parent": "82d183eb300978cc",
-   "child": "f7de852c28002fea",
-   "type": "contains"
-  },
-  {
-   "parent": "e8c6fcc3a282ed4f",
-   "child": "33b11b3a2ec70e8f",
-   "type": "contains"
-  },
-  {
-   "parent": "e8c6fcc3a282ed4f",
-   "child": "3426822570585ca6",
-   "type": "contains"
-  },
-  {
-   "parent": "e8c6fcc3a282ed4f",
-   "child": "37f2712bfdc05029",
-   "type": "contains"
-  },
-  {
-   "parent": "e8c6fcc3a282ed4f",
-   "child": "61eac5ce8105d394",
-   "type": "dependency-of"
-  },
-  {
-   "parent": "e8c6fcc3a282ed4f",
-   "child": "65ba00203fcb00b7",
-   "type": "contains"
-  },
-  {
-   "parent": "e8c6fcc3a282ed4f",
-   "child": "98d3eb523b0b443b",
-   "type": "contains"
-  },
-  {
-   "parent": "e8c6fcc3a282ed4f",
-   "child": "98fd433dcbda9dd8",
-   "type": "contains"
-  },
-  {
-   "parent": "e8c6fcc3a282ed4f",
-   "child": "aa75789d9e818133",
-   "type": "contains"
-  },
-  {
-   "parent": "e8c6fcc3a282ed4f",
-   "child": "aebdc91357768244",
-   "type": "contains"
-  },
-  {
-   "parent": "e8c6fcc3a282ed4f",
-   "child": "c7479ec33c892d37",
-   "type": "contains"
-  },
-  {
-   "parent": "e8c6fcc3a282ed4f",
-   "child": "de09f2147681af25",
-   "type": "contains"
-  },
-  {
-   "parent": "e8c6fcc3a282ed4f",
-   "child": "e1ce65f920562037",
-   "type": "contains"
-  },
-  {
-   "parent": "e8c6fcc3a282ed4f",
-   "child": "f68970af52c912d3",
-   "type": "contains"
-  },
-  {
-   "parent": "e8c6fcc3a282ed4f",
-   "child": "fc7c614fbff1fe93",
-   "type": "contains"
-  },
-  {
-   "parent": "e8c6fcc3a282ed4f",
-   "child": "ff4dbb6e8f3bb698",
-   "type": "contains"
  }
 ],
 "files": [