931: binary cataloger exclusion defaults

[spiffcs]

Binary cataloger exclusion defaults

Fixes #931

PR #1948 introduces a new implicit exclusion for packages that overlap by file ownership and have certain characteristics:

// 1) the relationship between packages is OwnershipByFileOverlap
// 2) the parent is an "os" package
// 3) the child is a synthetic package generated by the binary cataloger
// 4) the package names are identical

Packages found by the following catalogers will dedupe synthetic binary packages given an overlap as described above:

apkdb,
alpm,
deb
nix,
rpm (file and db)

I've added an integration test that captures the new default where scanning an alpine image with busybox goes from:

alpine-baselayout       3.4.3-r1     apk
alpine-baselayout-data  3.4.3-r1     apk
alpine-keys             2.4-r1       apk
apk-tools               2.14.0-r2    apk
busybox                 1.36.1       binary
busybox                 1.36.1-r0    apk
busybox-binsh           1.36.1-r0    apk
ca-certificates-bundle  20230506-r0  apk
libc-utils              0.7.2-r5     apk
libcrypto3              3.1.1-r1     apk
libssl3                 3.1.1-r1     apk
musl                    1.2.4-r0     apk
musl-utils              1.2.4-r0     apk
scanelf                 1.3.7-r1     apk
ssl_client              1.36.1-r0    apk
zlib                    1.2.13-r1    apk

to

alpine-baselayout       3.4.3-r1     apk
alpine-baselayout-data  3.4.3-r1     apk
alpine-keys             2.4-r1       apk
apk-tools               2.14.0-r2    apk
busybox                 1.36.1-r0    apk
busybox-binsh           1.36.1-r0    apk
ca-certificates-bundle  20230506-r0  apk
libc-utils              0.7.2-r5     apk
libcrypto3              3.1.1-r1     apk
libssl3                 3.1.1-r1     apk
musl                    1.2.4-r0     apk
musl-utils              1.2.4-r0     apk
scanelf                 1.3.7-r1     apk
ssl_client              1.36.1-r0    apk
zlib                    1.2.13-r1    apk

[github-actions]

Benchmark Test Results

Benchmark results from the latest changes vs base branch

goos: linux%0Agoarch: amd64%0Apkg: github.com/anchore/syft/test/integration%0Acpu: Intel(R) Xeon(R) CPU E5-2673 v4 @ 2.30GHz%0A                                                              │ ./.tmp/benchmark-6cc1b86.txt │%0A                                                              │            sec/op            │%0AImagePackageCatalogers/alpmdb-cataloger-2                                       15.43m ±  8%25%0AImagePackageCatalogers/apkdb-cataloger-2                                        1.012m ±  6%25%0AImagePackageCatalogers/binary-cataloger-2                                       262.6µ ±  8%25%0AImagePackageCatalogers/dpkgdb-cataloger-2                                       771.9µ ±  8%25%0AImagePackageCatalogers/dotnet-portable-executable-cataloger-2                   28.92µ ±  8%25%0AImagePackageCatalogers/go-module-binary-cataloger-2                             128.6µ ±  5%25%0AImagePackageCatalogers/java-cataloger-2                                         16.19m ± 25%25%0AImagePackageCatalogers/graalvm-native-image-cataloger-2                         134.2µ ±  5%25%0AImagePackageCatalogers/javascript-package-cataloger-2                           537.6µ ±  5%25%0AImagePackageCatalogers/nix-store-cataloger-2                                    401.9µ ±  3%25%0AImagePackageCatalogers/php-composer-installed-cataloger-2                       1.071m ±  7%25%0AImagePackageCatalogers/portage-cataloger-2                                      685.0µ ±  8%25%0AImagePackageCatalogers/python-package-cataloger-2                               4.479m ±  6%25%0AImagePackageCatalogers/r-package-cataloger-2                                    322.7µ ±  7%25%0AImagePackageCatalogers/rpm-db-cataloger-2                                       738.0µ ±  3%25%0AImagePackageCatalogers/ruby-gemspec-cataloger-2                                 1.385m ±  7%25%0AImagePackageCatalogers/sbom-cataloger-2                                         159.3µ ±  2%25%0Ageomean                                                                         664.2µ%0A%0A                                                              │ ./.tmp/benchmark-6cc1b86.txt │%0A                                                              │             B/op             │%0AImagePackageCatalogers/alpmdb-cataloger-2                                       5.144Mi ± 0%25%0AImagePackageCatalogers/apkdb-cataloger-2                                        205.7Ki ± 0%25%0AImagePackageCatalogers/binary-cataloger-2                                       30.46Ki ± 0%25%0AImagePackageCatalogers/dpkgdb-cataloger-2                                       172.6Ki ± 0%25%0AImagePackageCatalogers/dotnet-portable-executable-cataloger-2                   3.695Ki ± 0%25%0AImagePackageCatalogers/go-module-binary-cataloger-2                             9.906Ki ± 0%25%0AImagePackageCatalogers/java-cataloger-2                                         2.843Mi ± 0%25%0AImagePackageCatalogers/graalvm-native-image-cataloger-2                         8.595Ki ± 0%25%0AImagePackageCatalogers/javascript-package-cataloger-2                           94.20Ki ± 0%25%0AImagePackageCatalogers/nix-store-cataloger-2                                    49.33Ki ± 0%25%0AImagePackageCatalogers/php-composer-installed-cataloger-2                       186.6Ki ± 0%25%0AImagePackageCatalogers/portage-cataloger-2                                      120.2Ki ± 0%25%0AImagePackageCatalogers/python-package-cataloger-2                               1.003Mi ± 0%25%0AImagePackageCatalogers/r-package-cataloger-2                                    53.29Ki ± 0%25%0AImagePackageCatalogers/rpm-db-cataloger-2                                       181.4Ki ± 0%25%0AImagePackageCatalogers/ruby-gemspec-cataloger-2                                 144.1Ki ± 0%25%0AImagePackageCatalogers/sbom-cataloger-2                                         14.20Ki ± 0%25%0Ageomean                                                                         100.6Ki%0A%0A                                                              │ ./.tmp/benchmark-6cc1b86.txt │%0A                                                              │          allocs/op           │%0AImagePackageCatalogers/alpmdb-cataloger-2                                        88.14k ± 0%25%0AImagePackageCatalogers/apkdb-cataloger-2                                         4.190k ± 0%25%0AImagePackageCatalogers/binary-cataloger-2                                         848.0 ± 0%25%0AImagePackageCatalogers/dpkgdb-cataloger-2                                        3.145k ± 0%25%0AImagePackageCatalogers/dotnet-portable-executable-cataloger-2                     132.0 ± 0%25%0AImagePackageCatalogers/go-module-binary-cataloger-2                               281.0 ± 0%25%0AImagePackageCatalogers/java-cataloger-2                                          40.19k ± 0%25%0AImagePackageCatalogers/graalvm-native-image-cataloger-2                           228.0 ± 0%25%0AImagePackageCatalogers/javascript-package-cataloger-2                            1.342k ± 0%25%0AImagePackageCatalogers/nix-store-cataloger-2                                      898.0 ± 0%25%0AImagePackageCatalogers/php-composer-installed-cataloger-2                        4.080k ± 0%25%0AImagePackageCatalogers/portage-cataloger-2                                       2.272k ± 0%25%0AImagePackageCatalogers/python-package-cataloger-2                                16.45k ± 0%25%0AImagePackageCatalogers/r-package-cataloger-2                                      929.0 ± 0%25%0AImagePackageCatalogers/rpm-db-cataloger-2                                        3.992k ± 0%25%0AImagePackageCatalogers/ruby-gemspec-cataloger-2                                  2.447k ± 0%25%0AImagePackageCatalogers/sbom-cataloger-2                                           394.0 ± 0%25%0Ageomean                                                                          2.062k

[spiffcs]

Quick update on this PR - after some discussion we're going to dial back the feature to not be exposed to the user yet and just fix this for the narrower cases of name --> name overlap in the case of os --> binary(synthetic package) matches

[kzantow]

No blockers, but left some feedback.

[kzantow]

could these just be simplified into 2 variables? something like:

var parentCatalogerTypes = []string { .... }
var childCatalogerTypes = []string { .... }

[spiffcs]

Nice! Yea that would be a good simplification here.

My only hesitancy to change it back to that is the original config object we had discussed on the issue:
#931 (comment)

I think keeping this as is has two advantages:

1. Is clear to future users/contributors that Os/Binary categorization types were an explicit choice as and additional condition. The parent child designation loses this nuance a little.
2. It keeps us open to category based configuration options we may want to consider in the future

WDYT?

[kzantow]

If the concern is that we want to be explicit about OS and binary cataloger types, these could be named

var osCatalogerTypes = []string { .... }
var binaryCatalogerTypes = []string { .... }

keeps us open to category based configuration options we may want to consider in the future

I'm all for forward-thinking such as being open to more configuration. The suggestion was more that since we're not doing that at the moment, we don't necessarily know what that would look like (although you had an option originally), so it might be better to just make whatever changes at such time as we do change the feature. Again, this is not a blocker and I'll leave it to your discernment.

[kzantow]

One more question I forgot: should this PR include a boolean config option to revert this behavior?

[spiffcs]

One more question I forgot: should this PR include a boolean config option to revert this behavior?

Yea good call - this should now be added with 58f6d69

I've opted for the new behavior of exclusions to be the default since we've identified the synthetic binary packages in some cases to be a mistake. Users can add the following to their configs to reenable the old flow:

exclude-binary-overlap-by-ownership: false

[kzantow]

Note the comment about the change to encode_decode_cycle_test, I think this might be a blocker (and an accidental commit?)

[kzantow]

If the concern is that we want to be explicit about OS and binary cataloger types, these could be named

var osCatalogerTypes = []string { .... }
var binaryCatalogerTypes = []string { .... }

keeps us open to category based configuration options we may want to consider in the future

I'm all for forward-thinking such as being open to more configuration. The suggestion was more that since we're not doing that at the moment, we don't necessarily know what that would look like (although you had an option originally), so it might be better to just make whatever changes at such time as we do change the feature. Again, this is not a blocker and I'll leave it to your discernment.

[kzantow]

LGTM 👍 -- and definitely agree that having the default behavior as you noted to exclude these entries in the SBOM

[wagoodman]

the code has exclude-binary-overlap-by-ownership https://github.com/anchore/syft/pull/1948/files#diff-9dd8956cf9479ebf46ae7743d82d2d89bd81661bd13cd239651ff31f414f10b5R226

[wagoodman]

why delete the DefaultConfig method?

[spiffcs]

This function was only used as a part of *_test.go files. It was moved here:

syft/test/integration/utils_test.go

Lines 57 to 65 in c7272fd

	func defaultConfig() cataloger.Config {
	return cataloger.Config{
	Search: cataloger.DefaultSearchConfig(),
	Parallelism: 1,
	LinuxKernel: kernel.DefaultLinuxCatalogerConfig(),
	Python: python.DefaultCatalogerConfig(),
	ExcludeBinaryOverlapByOwnership: true,
	}
	}

Apologies for the boy scout change on an unrelated PR - my IDE was yelling about this being deadcode and I could not figure out why - the refactor over to test resolved that issue

[wagoodman]

this function seems very specific, but has a very generic name. I think the name should probably be tweaked to be a little more specific.

[wagoodman]

I think the filtering should be based on the package type, not the cataloger names.