feat: CPEs format decoder#4207
Conversation
|
Most of the code is adopted from decoder of package urls in syft and the tests are taken from Grype. I don't want to make it seem like I claim authorship of that. |
|
Is there anything I can do to move this forward? |
|
Thanks for the contribution @chovanecadam, sorry it got lost in the noise 🤦 For setting the package type from the CPE target_sw, I think we could move that to the Backfill process as the very last step if we could not determine package type otherwise. This would help to improve support for SBOMs with only CPEs and no other way to determine package type, too.
|
chovanecadam
force-pushed
the
cpe-list
branch
from
f7cb815 to
bcb2442
Compare
kzantow
left a comment
kzantow
left a comment
There was a problem hiding this comment.
Sorry for the delay, just a couple of asks mostly related to testing; thanks very much for working on this @chovanecadam!
| backfillFromPurl(p) | ||
| } | ||
|
|
||
| if len(p.CPEs) != 0 { |
There was a problem hiding this comment.
nit: is there a reason to have this check, since the backfillFromCPE is doing the same thing?
There was a problem hiding this comment.
good nit, I removed superfluous tests in b3da15b
|
|
||
| // CPETargetSoftwareToPackageType is derived from looking at target_software attributes in the NVD dataset | ||
| // TODO: ideally this would be driven from the store, where we can resolve ecosystem aliases directly | ||
| func CPETargetSoftwareToPackageType(tsw string) pkg.Type { |
There was a problem hiding this comment.
We should add some basic test for this function, probably in the decoder_test above -- I don't see any CPEs with targetSW set that result in execution of this logic, did I miss this or could you add a couple tests?
There was a problem hiding this comment.
I added a few test cases to the cpe decoder_test as well as to the backfill_test
| } | ||
|
|
||
| syftPkgOpts := []cmp.Option{ | ||
| cmpopts.IgnoreFields(pkg.Package{}, "id", "Type", "Language"), |
There was a problem hiding this comment.
We probably want to actually test the Type here and add at least one test exercising multiple CPEs
Signed-off-by: Adam Chovanec <git@adamchovanec.cz>
Signed-off-by: Adam Chovanec <git@adamchovanec.cz>
Signed-off-by: Adam Chovanec <git@adamchovanec.cz>
Signed-off-by: Adam Chovanec <git@adamchovanec.cz>
chovanecadam
force-pushed
the
cpe-list
branch
from
cff2bcf to
7b9df15
Compare
|
@kzantow I added test cases and rebased on top of main |
Signed-off-by: Adam Chovanec <git@adamchovanec.cz>
to be used in Grype instead of its code Signed-off-by: Adam Chovanec <git@adamchovanec.cz>
chovanecadam
force-pushed
the
cpe-list
branch
from
7147e35 to
786fcfd
Compare
|
Once this merges, I will create MR in Grype to make use of syft/pkg/cataloger/common/cpe/target_software_to_pkg_type.go instead its own and a separate MR that enables Grype to scan a list of CPEs. |
kzantow
left a comment
kzantow
left a comment
There was a problem hiding this comment.
Great! Thanks for the contribution @chovanecadam
3 participants
Description
Closes:
Adds a CPE decoder to aid Grype with scanning a file of CPEs. I have a WIP commit that implements that here: chovanecadam/grype@53bd626
This is my first bigger contribution to Syft, so please double-check if I didn't make some mistake.
I didn't implement an encoder. Syft generates many possible CPEs, I don't see a use-case for this output format.
Type of change
Checklist:
I have adopted the unit tests from grype/grype/pkg/cpe_provider_test.go as this basically implements the same functionality.