Resolve owned file paths when searching for overlaps#3828
Merged
Conversation
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
spiffcs
reviewed
Apr 24, 2025
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
spiffcs
approved these changes
Apr 24, 2025
spiffcs
added a commit
that referenced
this pull request
Apr 29, 2025
* main: (150 commits) fix the fluent-bit regex detection pattern (#3817) chore(deps): bump anchore/sbom-action from 0.18.0 to 0.19.0 (#3832) chore(deps): update tools to latest versions (#3830) Resolve owned file paths when searching for overlaps (#3828) chore(deps): update anchore dependencies (#3827) fix: Make the fileresolver Support Prefix Match of Files (#3820) Add support for detecting javascript assets in .NET projects using libman (#3825) chore(deps): update tools to latest versions (#3823) (feat): support skipping archive extraction with file source (#3795) Consider DLL claims for dependencies of .NET packages from deps.json (#3822) PE cataloger should consider compile target paths from deps.json (#3821) Perf: skip license scanner injection (#3796) chore(deps): bump sigstore/cosign-installer from 3.8.1 to 3.8.2 (#3818) chore(deps): bump github/codeql-action from 3.28.15 to 3.28.16 (#3819) chore(deps): update tools to latest versions (#3815) docs: document test commands (#3816) Support detection of Chrome binaries (#3136) fix:allow golang tip image detection regex pattern (#3757) fix:Make the parse of the replace part in ```go.mod``` more compliant and traceable (#3812) (fix): delete collection name/type key entries when empty (#3797) ... Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
spiffcs
added a commit
that referenced
this pull request
May 1, 2025
* main: (142 commits) feat: detect when full license text has been provided and preserve as separate field (#3450) chore(deps): bump github.com/Masterminds/semver/v3 from 3.3.0 to 3.3.1 (#3843) chore(deps): update tools to latest versions (#3841) Update github.com/Masterminds/semver to v3 (#3836) Add support for PHP Pear (#2775) fix: Improve detection of erlang binary in alpine Linux (#3839) fix:Resolve ancestral symlinks correctly (#3783) chore(deps): update CPE dictionary index (#3834) chore(deps): update tools to latest versions (#3835) chore(deps): bump github.com/charmbracelet/bubbletea from 1.3.4 to 1.3.5 (#3838) fix the fluent-bit regex detection pattern (#3817) chore(deps): bump anchore/sbom-action from 0.18.0 to 0.19.0 (#3832) chore(deps): update tools to latest versions (#3830) Resolve owned file paths when searching for overlaps (#3828) chore(deps): update anchore dependencies (#3827) fix: Make the fileresolver Support Prefix Match of Files (#3820) Add support for detecting javascript assets in .NET projects using libman (#3825) chore(deps): update tools to latest versions (#3823) (feat): support skipping archive extraction with file source (#3795) Consider DLL claims for dependencies of .NET packages from deps.json (#3822) ... Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Today we add relationships between packages that overlap in file ownership, say when the python cataloger finds a package at path
Xand the debian DB cataloger also finds the same package at the same file pathX--in this case we leave both packages and add afile-ownership-by-overlaprelationship between them. In the case where the same path conflict occurs and this is between a binary file and a debian package then we remove the binary package altogether.The problem is that package ownership locations are unresolved strings (copied from the RPM DB or the Dpkg DB, etc) and the package locations are resolved real paths. This can cause issues int he case of anchore/grype#2527 where the debian package writes through the
/binsymlink to the realpath of/usr/binto drop in thegzipbinary.This PR fixes this behavior by just-in-time attempting to resolve any paths from the
FileOwnerType of change
Checklist
TODO