Add filters to package cataloger

[jonasagx]

This PR adds filters so a package without name or version doesn't go in the list of all discovered packages. Two catalogers were modified:

• generic cataloger: used by most specific catalogers, acts as a central-ish way of guaranteeing packages have a name.
• python package cataloger: doesn't use the generic cataloger, therefore needed its own package filter.

This PR addresses items 1, 2 and 3 from #780 (comment).

Integration and units tests were added to validate behavior.

Fix: #780

Signed-off-by: Jonas Xavier jonasx@anchore.com

[jonasagx]

SPDX doesn't require package version, while CycloneDX does.
We should be compatible with both formats and only require package name.

[stevespringett]

As of CDX v1.4, component version is optional, not required.

[luhring]

Thanks for getting this started! This isn't ready for merging just yet.

At the highest level, we need to figure out the best place to filter out unacceptable packages. As implemented currently, this filtering happens fairly downstream in the process. This is good in that there's a central place where filtering happens, but it's not good in that it means unusable packages are flowing through more parts of the logic. This makes the code a bit trickier to debug and makes it easier to miss problems — such as that we haven't yet accounted for package relationships properly (I commented on this below). So I think we need to figure out a better place to do this filtering.

I see that you've added CLI tests, but it's not yet clear to me why these tests needed to be created at the "CLI" level. I've asked about this in a code comment below.

The PR description says that you've added integration tests, but I don't see new integration tests. Is there more code to check into this branch? (I do see new test fixture files added.)

See the other code comments for the rest of my thoughts — although some may become moot depending on how the implementation ends up pivoting.

Let me know if you have any questions!

[luhring]

If I'm understanding correctly, we just want to test to see if a package has a name, is that right? If so, it seems like we don't need all these pieces, and we could just use the p.Name == "" directly above.

[jonasagx]

Correct, this code no longer exists. Generic and Python Package catalogers do the equivalent filtering.

[luhring]

If we're going to discard this package from processing, we should do this check as early as possible. Putting the check here is problematic for a couple of reasons:

1. We're doing work above this point (e.g. creating CPEs) that might ultimately be wasted. So this would point to at least moving this check to the top of the for ... packages loop. But more importantly,
2. This implementation doesn't deal with relationships that may have been created for packages that we'll end up excluding from the catalog, so we may end up with relationships that reference packages that don't exist, which is a big problem. We generate relationships here in this loop, but catalogers also can return relationships. So this filtering probably needs to be done at least as upstream as in the catalogers themselves, so that we never generate relationships for packages we're going to discard.

[jonasagx]

I addressed items 1 and 2 with the generic cataloger and the python package cataloger. In the generic cataloger I remove all relationships From and To a dropped package.

So this filtering probably needs to be done at least as upstream as in the catalogers themselves, so that we never generate relationships for packages we're going to discard.

Having package and relationships dropped by the generic cataloger still a (centralized) last barrier for invalid packages.

[luhring]

Why is this test fixture called "broken..."? It looks like this fixture is intended to lead to a correct cataloging of a package, is that right?

[luhring]

Also, I think it's a bit confusing to reason about this entry in the Syft output, since this name actually includes a version-looking piece of data. I'd suggest dropping the -2.0.0, so it's really clear that this is a case where we did not find any version information.

[jonasagx]

Thanks for pointing that out. I moved it to the integration tests folder of fixtures, under a new file: no-version.

[jonasagx]

Thank you for the review @luhring!

At the highest level, we need to figure out the best place to filter out unacceptable packages. As implemented currently, this filtering happens fairly downstream in the process. This is good in that there's a central place where filtering happens, but it's not good in that it means unusable packages are flowing through more parts of the logic. This makes the code a bit trickier to debug and makes it easier to miss problems — such as that we haven't yet accounted for package relationships properly (I commented on this below). So I think we need to figure out a better place to do this filtering.

I added package filtering validation to the generic cataloger, used by most specific catalogers. I added code removing impacted relationships.

The Python Package Cataloger doesn't use the generic cataloger, I had to change it to filter out packages without name. This cataloger doesn't gather relationships so the change is pretty simple.

The PR description says that you've added integration tests, but I don't see new integration tests. Is there more code to check into this branch? (I do see new test fixture files added.)

I removed the cli tests in favor of unit and integration tests. Before I had added only integration test fixtures, sorry for the confusion.

[jonasagx]

Notice this cataloger doesn't return relationships

[jonasagx]

Other than the Python Package Cataloger I've found a couple others that don't depend on generic cataloger:

• deb.NewDpkgdbCataloger() requires version and name to make a package 👍🏼
• rpmdb.NewRpmdbCataloger() doesn't enforce non-empty name, but it depends on data from rpmDBs, I don't know how reliable they are 🤞🏼
• golang.NewGoModuleBinaryCataloger() relies on go mod path, which is always present 👍🏼

[luhring]

This is getting closer... 👍

I left some specific comments, but I'll also provide some high-level feedback here:

1. There's still an integration test being leveraged here, but again, we don't need an integration test here — we can just use a unit test. Using a unit test is preferable wherever possible.

2. We should have a central function that checks is a package is viable (i.e. has a name). A function like this is defined in the python package, but it should be defined instead in a central place, and then used by all the catalogers, so that we're applying the same criteria to packages from all catalogers. I saw your comment about some of the catalogers maybe being okay without this check, but I'd strongly encourage the use of this check for all code paths, so that we can centrally control what the requirements are for a viable package. It's not clear to me that the assumptions about other catalogers like RPM and Go are sufficient here.

[luhring]

nit: Using the var pkgIDsForRemoval []artifact.Identifiable syntax for statements like this is a bit cleaner, and also has the advantage of avoiding a wasted array allocation in the event that no items are ever appended to this slice.

[luhring]

(this comment can apply to other similar lines like this added in this PR — but again, this is just a "nit" comment)

[luhring]

Since we have a need for this check across multiple catalogers — both the generic cataloger and others — we should extract this check out as a centralized function that can be used by any catalogers that need it

[jonasagx]

I moved the validation to a func in the pkg package (:P words...), which is then reused by other catalogers.

[luhring]

We can make the name removePkgsFromRelationships more clear. This function isn't removing packages, it's removing relationships.

Additionally, the logic here isn't specific to packages, since you've used the type artifact.Identifiable. I think it's a good choice to use this type, since all you need are IDs. 👍

I'd suggest a function name like removeRelationshipsWithArtifactIDs, and I'd suggest renaming the pkgs parameter to something like artifactsToExclude.

[jonasagx]

Good call, I renamed the function and param with your suggestions.

[luhring]

I think we can simplify and optimize this implementation. Specifically, we can avoid the nested for loops and the goto. And we can also avoid looping through all packages for every single relationship.

My suggestion here is to use a map to store the artifact IDs to exclude, so that we can determine whether a given ID is in the set with an O(1) lookup. You have two options for doing this: 1) you could build the map inside this function, using the given []artifact.Identifiable` value, or 2) you could just ask the function caller for this map in the first place (instead of a slice). Given how this function is called above, I'd lean toward option 2, since it looks like it'd be just as easy to construct this set as a map as it is now to construct it as a slice.

[jonasagx]

I agree, I implemented option 2.

[luhring]

Nice testing here! 👍

[luhring]

This is the kind of function that should exist centrally for all catalogers to leverage, as opposed to defined just in the python package.

[luhring]

Separately, this function takes a pointer (*pkg.Package) but then doesn't check for a nil pointer condition, which could lay a trap for future developers to enable a nil pointer dereference panic. I'd suggest adjusting this function signature so that it doesn't take a pointer (it would just take a pkg.Package), since the caller is already checking for p != nil and could just as easily pass a dereferenced pkg.Package to this function.

[jonasagx]

The new pkg validation check for nil values as well.

[jonasagx]

I saw your comment about some of the catalogers maybe being okay without this check, but I'd strongly encourage the use of this check for all code paths, so that we can centrally control what the requirements are for a viable package. It's not clear to me that the assumptions about other catalogers like RPM and Go are sufficient here.

I've added pkg validation to deb/rpm/golang catalogers, I expanded the unit tests to ensure correct dropping of invalid packages.

[luhring]

I think we're close... a couple of things to clear up

[luhring]

Can you explain this change? I want to understand your thinking here

[jonasagx]

Yes, this glob (**/*.txt) will find a file named empty.txt, that will turn into an invalid package, and relationship, later on dropped from the final list. The previous glob (**/a-path.txt) wouldn't find empty.txt.

[luhring]

Looks great, thanks!