fix: further improvements to CPE generation for apk packages by westonsteimel · Pull Request #1623 · anchore/syft

westonsteimel · 2023-02-24T21:01:59Z

Adds many known CPE vendor candidates to APK CPE generation as well as using known project URL prefixes from APK metadata to generate known vendor candidates. Eventually we might be able to remove some of the overrides in candidate_by_packages_type.go and rely on the URL logic; however, currently apks installed from Wolfi don't include any URL info, so we will retain them for now.

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

github-actions · 2023-02-24T21:06:25Z

Benchmark Test Results

Benchmark results from the latest changes vs base branch

goos: linux
goarch: amd64
pkg: github.com/anchore/syft/test/integration
cpu: Intel(R) Xeon(R) Platinum 8370C CPU @ 2.80GHz
                                                          │ ./.tmp/benchmark-d560742.txt │
                                                          │            sec/op            │
ImagePackageCatalogers/alpmdb-cataloger-2                                   11.86m ± 23%
ImagePackageCatalogers/ruby-gemspec-cataloger-2                             844.8µ ±  2%
ImagePackageCatalogers/python-package-cataloger-2                           3.044m ±  2%
ImagePackageCatalogers/php-composer-installed-cataloger-2                   648.5µ ±  1%
ImagePackageCatalogers/javascript-package-cataloger-2                       346.6µ ±  1%
ImagePackageCatalogers/dpkgdb-cataloger-2                                   463.9µ ±  1%
ImagePackageCatalogers/rpm-db-cataloger-2                                   438.1µ ±  1%
ImagePackageCatalogers/java-cataloger-2                                     10.54m ±  3%
ImagePackageCatalogers/graalvm-native-image-cataloger-2                     7.931µ ±  3%
ImagePackageCatalogers/apkdb-cataloger-2                                    790.5µ ±  1%
ImagePackageCatalogers/go-module-binary-cataloger-2                         18.11µ ±  1%
ImagePackageCatalogers/dotnet-deps-cataloger-2                              950.6µ ±  1%
ImagePackageCatalogers/portage-cataloger-2                                  287.8µ ± 10%
ImagePackageCatalogers/sbom-cataloger-2                                     102.7µ ±  0%
ImagePackageCatalogers/binary-cataloger-2                                   143.8µ ±  1%
geomean                                                                     452.1µ

                                                          │ ./.tmp/benchmark-d560742.txt │
                                                          │             B/op             │
ImagePackageCatalogers/alpmdb-cataloger-2                                   5.060Mi ± 0%
ImagePackageCatalogers/ruby-gemspec-cataloger-2                             141.9Ki ± 0%
ImagePackageCatalogers/python-package-cataloger-2                           947.2Ki ± 0%
ImagePackageCatalogers/php-composer-installed-cataloger-2                   155.9Ki ± 0%
ImagePackageCatalogers/javascript-package-cataloger-2                       95.99Ki ± 0%
ImagePackageCatalogers/dpkgdb-cataloger-2                                   144.6Ki ± 0%
ImagePackageCatalogers/rpm-db-cataloger-2                                   170.8Ki ± 0%
ImagePackageCatalogers/java-cataloger-2                                     2.725Mi ± 0%
ImagePackageCatalogers/graalvm-native-image-cataloger-2                     1.523Ki ± 0%
ImagePackageCatalogers/apkdb-cataloger-2                                    207.7Ki ± 0%
ImagePackageCatalogers/go-module-binary-cataloger-2                         3.102Ki ± 0%
ImagePackageCatalogers/dotnet-deps-cataloger-2                              314.1Ki ± 0%
ImagePackageCatalogers/portage-cataloger-2                                  75.53Ki ± 0%
ImagePackageCatalogers/sbom-cataloger-2                                     13.06Ki ± 0%
ImagePackageCatalogers/binary-cataloger-2                                   21.20Ki ± 0%
geomean                                                                     110.8Ki

                                                          │ ./.tmp/benchmark-d560742.txt │
                                                          │          allocs/op           │
ImagePackageCatalogers/alpmdb-cataloger-2                                    86.71k ± 0%
ImagePackageCatalogers/ruby-gemspec-cataloger-2                              2.159k ± 0%
ImagePackageCatalogers/python-package-cataloger-2                            15.48k ± 0%
ImagePackageCatalogers/php-composer-installed-cataloger-2                    3.457k ± 0%
ImagePackageCatalogers/javascript-package-cataloger-2                        1.253k ± 0%
ImagePackageCatalogers/dpkgdb-cataloger-2                                    2.646k ± 0%
ImagePackageCatalogers/rpm-db-cataloger-2                                    3.759k ± 0%
ImagePackageCatalogers/java-cataloger-2                                      38.26k ± 0%
ImagePackageCatalogers/graalvm-native-image-cataloger-2                       40.00 ± 0%
ImagePackageCatalogers/apkdb-cataloger-2                                     5.000k ± 0%
ImagePackageCatalogers/go-module-binary-cataloger-2                           101.0 ± 0%
ImagePackageCatalogers/dotnet-deps-cataloger-2                               5.010k ± 0%
ImagePackageCatalogers/portage-cataloger-2                                   1.487k ± 0%
ImagePackageCatalogers/sbom-cataloger-2                                       392.0 ± 0%
ImagePackageCatalogers/binary-cataloger-2                                     649.0 ± 0%
geomean                                                                      2.243k

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

…#1623) * fix: consider upstream logic during apk cpe gen * fix: correct apk CPE for go * fix: correct apk CPE for ruby * fix: correct apk CPE for bazel * fix: correct apk CPE for clang * fix: correct apk CPE for openjdk * fix: correct apk CPE for glibc * fix: correct apk CPE for gli * fix: correct apk CPE for bas * fix: correct apk CPE for alsa-lib * fix: correct apk CPE for alsa * fix: determine apk cpe vendor from known URLs * fix: add more url prefix->vendor mappings for apk * refactor: allow reuse of vendor by url prefix logic * feat: extract username as vendor candidate from github/gitlab Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

westonsteimel added 17 commits February 24, 2023 20:54

fix: consider upstream logic during apk cpe gen

ec9e43b

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

fix: correct apk CPE for go

16b04de

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

fix: correct apk CPE for ruby

2d84ec9

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

fix: correct apk CPE for bazel

adb6c74

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

fix: correct apk CPE for clang

08c97a7

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

fix: correct apk CPE for openjdk

d230254

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

fix: correct apk CPE for glibc

93cc853

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

fix: correct apk CPE for glib

e34b0aa

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

fix: correct apk CPE for bash

0d8b4ba

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

fix: correct apk CPE for alsa-lib

bdf2180

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

fix: correct apk CPE for alsa

7a0edca

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

fix: determine apk cpe vendor from known URLs

533a68a

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

fix: add more url prefix->vendor mappings for apk

8387b88

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

refactor: allow reuse of vendor by url prefix logic

17477ed

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

more tests

b01a95e

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

more refactoring and tests

b32ff2e

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

more updates

ab6a031

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

westonsteimel added 2 commits February 24, 2023 21:11

tests for vendor from url logic

187c745

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

feat: extract username as vendor candidate from github/gitlab

ac012d9

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

westonsteimel force-pushed the apk-cpe-gen-improvements branch from d49951a to ac012d9 Compare February 25, 2023 10:05

spiffcs approved these changes Feb 27, 2023

View reviewed changes

spiffcs merged commit fbda21f into main Feb 27, 2023

spiffcs deleted the apk-cpe-gen-improvements branch February 27, 2023 18:16

kzantow added the bug Something isn't working label Mar 2, 2023

dependabot Bot mentioned this pull request Mar 13, 2023

Bump github.com/anchore/syft from 0.71.0 to 0.74.1 valllabh/security-cli#16

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: further improvements to CPE generation for apk packages#1623

fix: further improvements to CPE generation for apk packages#1623
spiffcs merged 19 commits intomainfrom
apk-cpe-gen-improvements

westonsteimel commented Feb 24, 2023

Uh oh!

github-actions Bot commented Feb 24, 2023 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

westonsteimel commented Feb 24, 2023

Uh oh!

github-actions Bot commented Feb 24, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Benchmark Test Results

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

github-actions Bot commented Feb 24, 2023 •

edited

Loading