fix: correct apk purls for other distros by westonsteimel · Pull Request #1620 · anchore/syft

westonsteimel · 2023-02-24T16:10:18Z

The apk purl spec allows for vendor-specific namespace. I noticed in the embedded SBOMs from wolfi that the purls are of the form pkg:apk/wolfi/curl@7.83.0-r0?arch=x86, but the current logic in syft actually prevents purl generation entirely if the distro isn't alpine, so this corrects that behaviour.

The apk purl spec allows for vendor-specific namespace. I noticed in the embedded SBOMs from wolfi that the purls are of the form `pkg:apk/wolfi/curl@7.83.0-r0?arch=x86`, but the current logic in syft actually prevents purl generation entirely if the distro isn't alpine, so this corrects that behaviour. Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

github-actions · 2023-02-24T16:15:05Z

Benchmark Test Results

Benchmark results from the latest changes vs base branch

goos: linux
goarch: amd64
pkg: github.com/anchore/syft/test/integration
cpu: Intel(R) Xeon(R) Platinum 8171M CPU @ 2.60GHz
                                                          │ ./.tmp/benchmark-4b4703a.txt │
                                                          │            sec/op            │
ImagePackageCatalogers/alpmdb-cataloger-2                                    14.68m ± 4%
ImagePackageCatalogers/ruby-gemspec-cataloger-2                              1.135m ± 8%
ImagePackageCatalogers/python-package-cataloger-2                            3.839m ± 3%
ImagePackageCatalogers/php-composer-installed-cataloger-2                    878.8µ ± 5%
ImagePackageCatalogers/javascript-package-cataloger-2                        469.9µ ± 2%
ImagePackageCatalogers/dpkgdb-cataloger-2                                    647.8µ ± 4%
ImagePackageCatalogers/rpm-db-cataloger-2                                    628.9µ ± 3%
ImagePackageCatalogers/java-cataloger-2                                      13.81m ± 3%
ImagePackageCatalogers/graalvm-native-image-cataloger-2                      10.39µ ± 2%
ImagePackageCatalogers/apkdb-cataloger-2                                     648.5µ ± 4%
ImagePackageCatalogers/go-module-binary-cataloger-2                          23.19µ ± 2%
ImagePackageCatalogers/dotnet-deps-cataloger-2                               1.235m ± 4%
ImagePackageCatalogers/portage-cataloger-2                                   407.6µ ± 3%
ImagePackageCatalogers/sbom-cataloger-2                                      129.8µ ± 1%
ImagePackageCatalogers/binary-cataloger-2                                    172.9µ ± 2%
geomean                                                                      577.1µ

                                                          │ ./.tmp/benchmark-4b4703a.txt │
                                                          │             B/op             │
ImagePackageCatalogers/alpmdb-cataloger-2                                   5.060Mi ± 0%
ImagePackageCatalogers/ruby-gemspec-cataloger-2                             141.7Ki ± 0%
ImagePackageCatalogers/python-package-cataloger-2                           946.9Ki ± 0%
ImagePackageCatalogers/php-composer-installed-cataloger-2                   155.8Ki ± 0%
ImagePackageCatalogers/javascript-package-cataloger-2                       95.62Ki ± 0%
ImagePackageCatalogers/dpkgdb-cataloger-2                                   144.6Ki ± 0%
ImagePackageCatalogers/rpm-db-cataloger-2                                   170.3Ki ± 0%
ImagePackageCatalogers/java-cataloger-2                                     2.722Mi ± 0%
ImagePackageCatalogers/graalvm-native-image-cataloger-2                     1.523Ki ± 0%
ImagePackageCatalogers/apkdb-cataloger-2                                    123.0Ki ± 0%
ImagePackageCatalogers/go-module-binary-cataloger-2                         3.102Ki ± 0%
ImagePackageCatalogers/dotnet-deps-cataloger-2                              314.4Ki ± 0%
ImagePackageCatalogers/portage-cataloger-2                                  75.39Ki ± 0%
ImagePackageCatalogers/sbom-cataloger-2                                     13.04Ki ± 0%
ImagePackageCatalogers/binary-cataloger-2                                   21.18Ki ± 0%
geomean                                                                     106.9Ki

                                                          │ ./.tmp/benchmark-4b4703a.txt │
                                                          │          allocs/op           │
ImagePackageCatalogers/alpmdb-cataloger-2                                    86.71k ± 0%
ImagePackageCatalogers/ruby-gemspec-cataloger-2                              2.159k ± 0%
ImagePackageCatalogers/python-package-cataloger-2                            15.49k ± 0%
ImagePackageCatalogers/php-composer-installed-cataloger-2                    3.457k ± 0%
ImagePackageCatalogers/javascript-package-cataloger-2                        1.253k ± 0%
ImagePackageCatalogers/dpkgdb-cataloger-2                                    2.646k ± 0%
ImagePackageCatalogers/rpm-db-cataloger-2                                    3.759k ± 0%
ImagePackageCatalogers/java-cataloger-2                                      38.26k ± 0%
ImagePackageCatalogers/graalvm-native-image-cataloger-2                       40.00 ± 0%
ImagePackageCatalogers/apkdb-cataloger-2                                     3.252k ± 0%
ImagePackageCatalogers/go-module-binary-cataloger-2                           101.0 ± 0%
ImagePackageCatalogers/dotnet-deps-cataloger-2                               5.011k ± 0%
ImagePackageCatalogers/portage-cataloger-2                                   1.487k ± 0%
ImagePackageCatalogers/sbom-cataloger-2                                       392.0 ± 0%
ImagePackageCatalogers/binary-cataloger-2                                     649.0 ± 0%
geomean                                                                      2.180k

The apk purl spec allows for vendor-specific namespace. I noticed in the embedded SBOMs from wolfi that the purls are of the form `pkg:apk/wolfi/curl@7.83.0-r0?arch=x86`, but the current logic in syft actually prevents purl generation entirely if the distro isn't alpine, so this corrects that behaviour. Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

westonsteimel requested a review from a team February 24, 2023 16:16

westonsteimel enabled auto-merge (squash) February 24, 2023 16:17

spiffcs approved these changes Feb 24, 2023

View reviewed changes

westonsteimel merged commit 3ee1af0 into main Feb 24, 2023

westonsteimel deleted the fix-apk-purls branch February 24, 2023 20:07

kzantow added the bug Something isn't working label Mar 2, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: correct apk purls for other distros#1620

fix: correct apk purls for other distros#1620
westonsteimel merged 1 commit intomainfrom
fix-apk-purls

westonsteimel commented Feb 24, 2023

Uh oh!

github-actions Bot commented Feb 24, 2023

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

westonsteimel commented Feb 24, 2023

Uh oh!

github-actions Bot commented Feb 24, 2023

Benchmark Test Results

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants