diff --git a/cmd/osv-scanner/fixtures/sbom-insecure/alpine.cdx.xml b/cmd/osv-scanner/fixtures/sbom-insecure/alpine.cdx.xml new file mode 100644 index 0000000000..f70df0c6df --- /dev/null +++ b/cmd/osv-scanner/fixtures/sbom-insecure/alpine.cdx.xml @@ -0,0 +1,604 @@ + + + + 2023-03-02T12:04:22+11:00 + + + anchore + syft + 0.73.0 + + + + alpine:latest + sha256:fd6275a37d2472b9d3be70c3261087b8d65e441c21342ae7313096312bcda2b3 + + + + + Natanael Copa <ncopa@alpinelinux.org> + alpine-baselayout + 3.4.0-r0 + Alpine base dir structure and init scripts + + + GPL-2.0-only + + + cpe:2.3:a:alpine-baselayout:alpine-baselayout:3.4.0-r0:*:*:*:*:*:*:* + pkg:apk/alpine/alpine-baselayout@3.4.0-r0?arch=x86_64&upstream=alpine-baselayout&distro=alpine-3.17.2 + + + https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout + + + + apkdb-cataloger + ApkMetadata + apk + cpe:2.3:a:alpine-baselayout:alpine_baselayout:3.4.0-r0:*:*:*:*:*:*:* + cpe:2.3:a:alpine_baselayout:alpine-baselayout:3.4.0-r0:*:*:*:*:*:*:* + cpe:2.3:a:alpine_baselayout:alpine_baselayout:3.4.0-r0:*:*:*:*:*:*:* + cpe:2.3:a:alpine:alpine-baselayout:3.4.0-r0:*:*:*:*:*:*:* + cpe:2.3:a:alpine:alpine_baselayout:3.4.0-r0:*:*:*:*:*:*:* + sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 + /lib/apk/db/installed + bd965a7ebf7fd8f07d7a0cc0d7375bf3e4eb9b24 + 331776 + alpine-baselayout + Q1/eXfmbYT1WXenFSqKjroYyK84NE= + alpine-baselayout-data=3.4.0-r0 + /bin/sh + 8890 + + + + Natanael Copa <ncopa@alpinelinux.org> + alpine-baselayout-data + 3.4.0-r0 + Alpine base dir structure and init scripts + + + GPL-2.0-only + + + cpe:2.3:a:alpine-baselayout-data:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:* + pkg:apk/alpine/alpine-baselayout-data@3.4.0-r0?arch=x86_64&upstream=alpine-baselayout&distro=alpine-3.17.2 + + + https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout + + + + apkdb-cataloger + ApkMetadata + apk + cpe:2.3:a:alpine-baselayout-data:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:* + cpe:2.3:a:alpine_baselayout_data:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:* + cpe:2.3:a:alpine_baselayout_data:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:* + cpe:2.3:a:alpine-baselayout:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:* + cpe:2.3:a:alpine-baselayout:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:* + cpe:2.3:a:alpine_baselayout:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:* + cpe:2.3:a:alpine_baselayout:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:* + cpe:2.3:a:alpine:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:* + cpe:2.3:a:alpine:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:* + sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 + /lib/apk/db/installed + bd965a7ebf7fd8f07d7a0cc0d7375bf3e4eb9b24 + 77824 + alpine-baselayout + Q1/JgpM8J6DWI/541tUX+uHEzSjqo= + 11664 + + + + Natanael Copa <ncopa@alpinelinux.org> + alpine-keys + 2.4-r1 + Public keys for Alpine Linux packages + + + MIT + + + cpe:2.3:a:alpine-keys:alpine-keys:2.4-r1:*:*:*:*:*:*:* + pkg:apk/alpine/alpine-keys@2.4-r1?arch=x86_64&upstream=alpine-keys&distro=alpine-3.17.2 + + + https://alpinelinux.org + + + + apkdb-cataloger + ApkMetadata + apk + cpe:2.3:a:alpine-keys:alpine_keys:2.4-r1:*:*:*:*:*:*:* + cpe:2.3:a:alpine_keys:alpine-keys:2.4-r1:*:*:*:*:*:*:* + cpe:2.3:a:alpine_keys:alpine_keys:2.4-r1:*:*:*:*:*:*:* + cpe:2.3:a:alpine:alpine-keys:2.4-r1:*:*:*:*:*:*:* + cpe:2.3:a:alpine:alpine_keys:2.4-r1:*:*:*:*:*:*:* + sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 + /lib/apk/db/installed + aab68f8c9ab434a46710de8e12fb3206e2930a59 + 159744 + alpine-keys + Q1KM01lfKVp+gEZn23awujqjSkrN8= + 13361 + + + + Natanael Copa <ncopa@alpinelinux.org> + apk-tools + 2.12.10-r1 + Alpine Package Keeper - package manager for alpine + + + GPL-2.0-only + + + cpe:2.3:a:apk-tools:apk-tools:2.12.10-r1:*:*:*:*:*:*:* + pkg:apk/alpine/apk-tools@2.12.10-r1?arch=x86_64&upstream=apk-tools&distro=alpine-3.17.2 + + + https://gitlab.alpinelinux.org/alpine/apk-tools + + + + apkdb-cataloger + ApkMetadata + apk + cpe:2.3:a:apk-tools:apk_tools:2.12.10-r1:*:*:*:*:*:*:* + cpe:2.3:a:apk_tools:apk-tools:2.12.10-r1:*:*:*:*:*:*:* + cpe:2.3:a:apk_tools:apk_tools:2.12.10-r1:*:*:*:*:*:*:* + cpe:2.3:a:apk:apk-tools:2.12.10-r1:*:*:*:*:*:*:* + cpe:2.3:a:apk:apk_tools:2.12.10-r1:*:*:*:*:*:*:* + sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 + /lib/apk/db/installed + 0188f510baadbae393472103427b9c1875117136 + 307200 + apk-tools + so:libapk.so.3.12.0=3.12.0 + cmd:apk=2.12.10-r1 + Q1Ef3iwt+cMdGngEgaFr2URIJhKzQ= + musl>=1.2 + ca-certificates-bundle + so:libc.musl-x86_64.so.1 + so:libcrypto.so.3 + so:libssl.so.3 + so:libz.so.1 + 120973 + + + + busybox + 1.35.0 + cpe:2.3:a:busybox:busybox:1.35.0:*:*:*:*:*:*:* + + binary-cataloger + BinaryMetadata + binary + cpe:2.3:a:busybox:busybox:1.35.0:*:*:*:*:*:*:* + sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 + /bin/busybox + + + + Sören Tempel <soeren+alpine@soeren-tempel.net> + busybox + 1.35.0-r29 + Size optimized toolbox of many common UNIX utilities + + + GPL-2.0-only + + + cpe:2.3:a:busybox:busybox:1.35.0-r29:*:*:*:*:*:*:* + pkg:apk/alpine/busybox@1.35.0-r29?arch=x86_64&upstream=busybox&distro=alpine-3.17.2 + + + https://busybox.net/ + + + + apkdb-cataloger + ApkMetadata + apk + sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 + /lib/apk/db/installed + 1dbf7a793afae640ea643a055b6dd4f430ac116b + 962560 + busybox + cmd:busybox=1.35.0-r29 + Q1NN3sp0yr99btRysqty3nQUrWHaY= + so:libc.musl-x86_64.so.1 + 509600 + + + + Sören Tempel <soeren+alpine@soeren-tempel.net> + busybox-binsh + 1.35.0-r29 + busybox ash /bin/sh + + + GPL-2.0-only + + + cpe:2.3:a:busybox-binsh:busybox-binsh:1.35.0-r29:*:*:*:*:*:*:* + pkg:apk/alpine/busybox-binsh@1.35.0-r29?arch=x86_64&upstream=busybox&distro=alpine-3.17.2 + + + https://busybox.net/ + + + + apkdb-cataloger + ApkMetadata + apk + cpe:2.3:a:busybox-binsh:busybox_binsh:1.35.0-r29:*:*:*:*:*:*:* + cpe:2.3:a:busybox_binsh:busybox-binsh:1.35.0-r29:*:*:*:*:*:*:* + cpe:2.3:a:busybox_binsh:busybox_binsh:1.35.0-r29:*:*:*:*:*:*:* + cpe:2.3:a:busybox:busybox-binsh:1.35.0-r29:*:*:*:*:*:*:* + cpe:2.3:a:busybox:busybox_binsh:1.35.0-r29:*:*:*:*:*:*:* + sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 + /lib/apk/db/installed + 1dbf7a793afae640ea643a055b6dd4f430ac116b + 8192 + busybox + /bin/sh + cmd:sh=1.35.0-r29 + Q1miWwyhWKXVEiRYLhmArV1TKMs6A= + busybox=1.35.0-r29 + 1547 + + + + Natanael Copa <ncopa@alpinelinux.org> + ca-certificates-bundle + 20220614-r4 + Pre generated bundle of Mozilla certificates + + + MPL-2.0 + + + MIT + + + cpe:2.3:a:ca-certificates-bundle:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:* + pkg:apk/alpine/ca-certificates-bundle@20220614-r4?arch=x86_64&upstream=ca-certificates&distro=alpine-3.17.2 + + + https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/ + + + + apkdb-cataloger + ApkMetadata + apk + cpe:2.3:a:ca-certificates-bundle:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:* + cpe:2.3:a:ca_certificates_bundle:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:* + cpe:2.3:a:ca_certificates_bundle:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:* + cpe:2.3:a:ca-certificates:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:* + cpe:2.3:a:ca-certificates:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:* + cpe:2.3:a:ca_certificates:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:* + cpe:2.3:a:ca_certificates:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:* + cpe:2.3:a:ca:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:* + cpe:2.3:a:ca:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:* + sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 + /lib/apk/db/installed + e1839fd45a096c9e21ac24f8a61991d357d11628 + 237568 + ca-certificates + ca-certificates-cacert=20220614-r4 + Q14PFUzkDXTGDcHkiuEdFuzb+EvxQ= + 126296 + + + + Natanael Copa <ncopa@alpinelinux.org> + libc-utils + 0.7.2-r3 + Meta package to pull in correct libc + + + BSD-2-Clause + + + BSD-3-Clause + + + cpe:2.3:a:libc-utils:libc-utils:0.7.2-r3:*:*:*:*:*:*:* + pkg:apk/alpine/libc-utils@0.7.2-r3?arch=x86_64&upstream=libc-dev&distro=alpine-3.17.2 + + + https://alpinelinux.org + + + + apkdb-cataloger + ApkMetadata + apk + cpe:2.3:a:libc-utils:libc_utils:0.7.2-r3:*:*:*:*:*:*:* + cpe:2.3:a:libc_utils:libc-utils:0.7.2-r3:*:*:*:*:*:*:* + cpe:2.3:a:libc_utils:libc_utils:0.7.2-r3:*:*:*:*:*:*:* + cpe:2.3:a:libc:libc-utils:0.7.2-r3:*:*:*:*:*:*:* + cpe:2.3:a:libc:libc_utils:0.7.2-r3:*:*:*:*:*:*:* + sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 + /lib/apk/db/installed + 60424133be2e79bbfeff3d58147a22886f817ce2 + 4096 + libc-dev + Q19Gg06pBPiiG9UN94ql7qImsHSUQ= + musl-utils + 1485 + + + + Ariadne Conill <ariadne@dereferenced.org> + libcrypto3 + 3.0.8-r0 + Crypto library from openssl + + + Apache-2.0 + + + cpe:2.3:a:libcrypto3:libcrypto3:3.0.8-r0:*:*:*:*:*:*:* + pkg:apk/alpine/libcrypto3@3.0.8-r0?arch=x86_64&upstream=openssl&distro=alpine-3.17.2 + + + https://www.openssl.org/ + + + + apkdb-cataloger + ApkMetadata + apk + sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 + /lib/apk/db/installed + 524302e205a5b43c2bb48d041bcb10ccf2b480f9 + 4206592 + openssl + so:libcrypto.so.3=3 + Q1lyWpurYeMlLEt60ys+OlTABmzgs= + so:libc.musl-x86_64.so.1 + 1710217 + + + + Ariadne Conill <ariadne@dereferenced.org> + libssl3 + 3.0.8-r0 + SSL shared libraries + + + Apache-2.0 + + + cpe:2.3:a:libssl3:libssl3:3.0.8-r0:*:*:*:*:*:*:* + pkg:apk/alpine/libssl3@3.0.8-r0?arch=x86_64&upstream=openssl&distro=alpine-3.17.2 + + + https://www.openssl.org/ + + + + apkdb-cataloger + ApkMetadata + apk + sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 + /lib/apk/db/installed + 524302e205a5b43c2bb48d041bcb10ccf2b480f9 + 622592 + openssl + so:libssl.so.3=3 + Q1Z6/d/FKYkPehWzNtOtYnJ74oIkY= + so:libc.musl-x86_64.so.1 + so:libcrypto.so.3 + 246853 + + + + Timo Teräs <timo.teras@iki.fi> + musl + 1.2.3-r4 + the musl c library (libc) implementation + + + MIT + + + cpe:2.3:a:musl:musl:1.2.3-r4:*:*:*:*:*:*:* + pkg:apk/alpine/musl@1.2.3-r4?arch=x86_64&upstream=musl&distro=alpine-3.17.2 + + + https://musl.libc.org/ + + + + apkdb-cataloger + ApkMetadata + apk + sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 + /lib/apk/db/installed + f93af038c3de7146121c2ea8124ba5ce29b4b058 + 634880 + musl + so:libc.musl-x86_64.so.1=1 + Q1Pk7x1woArbB1nzkMPJPq1TECwus= + 388955 + + + + Timo Teräs <timo.teras@iki.fi> + musl-utils + 1.2.3-r4 + the musl c library (libc) implementation + + + MIT + + + BSD-2-Clause + + + GPL-2.0-or-later + + + cpe:2.3:a:musl-utils:musl-utils:1.2.3-r4:*:*:*:*:*:*:* + pkg:apk/alpine/musl-utils@1.2.3-r4?arch=x86_64&upstream=musl&distro=alpine-3.17.2 + + + https://musl.libc.org/ + + + + apkdb-cataloger + ApkMetadata + apk + cpe:2.3:a:musl-utils:musl_utils:1.2.3-r4:*:*:*:*:*:*:* + cpe:2.3:a:musl_utils:musl-utils:1.2.3-r4:*:*:*:*:*:*:* + cpe:2.3:a:musl_utils:musl_utils:1.2.3-r4:*:*:*:*:*:*:* + cpe:2.3:a:musl:musl-utils:1.2.3-r4:*:*:*:*:*:*:* + cpe:2.3:a:musl:musl_utils:1.2.3-r4:*:*:*:*:*:*:* + sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 + /lib/apk/db/installed + f93af038c3de7146121c2ea8124ba5ce29b4b058 + 135168 + musl + cmd:getconf=1.2.3-r4 + cmd:getent=1.2.3-r4 + cmd:iconv=1.2.3-r4 + cmd:ldconfig=1.2.3-r4 + cmd:ldd=1.2.3-r4 + Q1ZWJL4eySx8nPSjF1FAJgQyvuNs4= + scanelf + so:libc.musl-x86_64.so.1 + 36697 + + + + Natanael Copa <ncopa@alpinelinux.org> + scanelf + 1.3.5-r1 + Scan ELF binaries for stuff + + + GPL-2.0-only + + + cpe:2.3:a:scanelf:scanelf:1.3.5-r1:*:*:*:*:*:*:* + pkg:apk/alpine/scanelf@1.3.5-r1?arch=x86_64&upstream=pax-utils&distro=alpine-3.17.2 + + + https://wiki.gentoo.org/wiki/Hardened/PaX_Utilities + + + + apkdb-cataloger + ApkMetadata + apk + sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 + /lib/apk/db/installed + e52243dbb02069f10d48440ccc5fd41fa5fc2236 + 98304 + pax-utils + cmd:scanelf=1.3.5-r1 + Q11dxYFsHvBFAzzHGDo5gOTDNJDyQ= + so:libc.musl-x86_64.so.1 + 37687 + + + + Sören Tempel <soeren+alpine@soeren-tempel.net> + ssl_client + 1.35.0-r29 + EXternal ssl_client for busybox wget + + + GPL-2.0-only + + + cpe:2.3:a:ssl-client:ssl-client:1.35.0-r29:*:*:*:*:*:*:* + pkg:apk/alpine/ssl_client@1.35.0-r29?arch=x86_64&upstream=busybox&distro=alpine-3.17.2 + + + https://busybox.net/ + + + + apkdb-cataloger + ApkMetadata + apk + cpe:2.3:a:ssl-client:ssl_client:1.35.0-r29:*:*:*:*:*:*:* + cpe:2.3:a:ssl_client:ssl-client:1.35.0-r29:*:*:*:*:*:*:* + cpe:2.3:a:ssl_client:ssl_client:1.35.0-r29:*:*:*:*:*:*:* + cpe:2.3:a:ssl:ssl-client:1.35.0-r29:*:*:*:*:*:*:* + cpe:2.3:a:ssl:ssl_client:1.35.0-r29:*:*:*:*:*:*:* + sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 + /lib/apk/db/installed + 1dbf7a793afae640ea643a055b6dd4f430ac116b + 28672 + busybox + cmd:ssl_client=1.35.0-r29 + Q1QuqZjeP6XG85I29tOiCWofL8Cj0= + so:libc.musl-x86_64.so.1 + so:libcrypto.so.3 + so:libssl.so.3 + 4929 + + + + Natanael Copa <ncopa@alpinelinux.org> + zlib + 1.2.13-r0 + A compression/decompression Library + + + Zlib + + + cpe:2.3:a:zlib:zlib:1.2.13-r0:*:*:*:*:*:*:* + pkg:apk/alpine/zlib@1.2.10-r2?arch=x86_64&upstream=zlib&distro=alpine-3.17.2 + + + https://zlib.net/ + + + + apkdb-cataloger + ApkMetadata + apk + sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 + /lib/apk/db/installed + bb37266b06a72d21d1fd850ef4b86665cf9ef70f + 110592 + zlib + so:libz.so.1=1.2.13 + Q1rjnXT01l1PAxXheUxe4Oldl5rFk= + so:libc.musl-x86_64.so.1 + 54258 + + + + alpine + 3.17.2 + Alpine Linux v3.17 + + + + https://gitlab.alpinelinux.org/alpine/aports/-/issues + + + https://alpinelinux.org/ + + + + alpine + Alpine Linux v3.17 + 3.17.2 + + + + \ No newline at end of file diff --git a/cmd/osv-scanner/fixtures/sbom-insecure/osv-scanner.toml b/cmd/osv-scanner/fixtures/sbom-insecure/osv-scanner.toml index 3f21fd89da..a414da9134 100644 --- a/cmd/osv-scanner/fixtures/sbom-insecure/osv-scanner.toml +++ b/cmd/osv-scanner/fixtures/sbom-insecure/osv-scanner.toml @@ -47,3 +47,8 @@ reason = "This is a intentionally vulnerable test sbom" id = "DLA-3051-1" # ignoreUntil = n/a reason = "This is a intentionally vulnerable test sbom" + +[[IgnoredVulns]] +id = "CVE-2022-37434" +# ignoreUntil = n/a +reason = "This is a intentionally vulnerable test sbom" diff --git a/cmd/osv-scanner/main_test.go b/cmd/osv-scanner/main_test.go index a2671d9312..02a74e847b 100644 --- a/cmd/osv-scanner/main_test.go +++ b/cmd/osv-scanner/main_test.go @@ -139,14 +139,16 @@ func TestRun(t *testing.T) { // one specific supported sbom with vulns { name: "", - args: []string{"", "--config=./fixtures/osv-scanner-empty-config.toml", "./fixtures/sbom-insecure/postgres-stretch.cdx.xml"}, + args: []string{"", "--config=./fixtures/osv-scanner-empty-config.toml", "./fixtures/sbom-insecure/"}, wantExitCode: 1, wantStdout: ` - Scanning dir ./fixtures/sbom-insecure/postgres-stretch.cdx.xml + Scanning dir ./fixtures/sbom-insecure/ + Scanned %%/fixtures/sbom-insecure/alpine.cdx.xml as CycloneDX SBOM and found 15 packages Scanned %%/fixtures/sbom-insecure/postgres-stretch.cdx.xml as CycloneDX SBOM and found 136 packages +-------------------------------------+------+-----------+--------------------------------+------------------------------------+-------------------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE | +-------------------------------------+------+-----------+--------------------------------+------------------------------------+-------------------------------------------------+ + | https://osv.dev/CVE-2022-37434 | | Alpine | zlib | 1.2.10-r2 | fixtures/sbom-insecure/alpine.cdx.xml | | https://osv.dev/DLA-3022-1 | | Debian | dpkg | 1.18.25 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-v95c-p5hm-xq8f | 6 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GO-2022-0274 | | | | | | diff --git a/pkg/models/purl_to_package.go b/pkg/models/purl_to_package.go index 4641dc8ced..8ca28e6e39 100644 --- a/pkg/models/purl_to_package.go +++ b/pkg/models/purl_to_package.go @@ -4,18 +4,40 @@ import ( "github.com/package-url/packageurl-go" ) -var purlEcosystems = map[string]Ecosystem{ - "cargo": EcosystemCratesIO, - "deb": EcosystemDebian, - "hex": EcosystemHex, - "golang": EcosystemGo, - "maven": EcosystemMaven, - "nuget": EcosystemNuGet, - "npm": EcosystemNPM, - "composer": EcosystemPackagist, - "generic": EcosystemOSSFuzz, - "pypi": EcosystemPyPI, - "gem": EcosystemRubyGems, +// used like so: purlEcosystems[PkgURL.Type][PkgURL.Namespace] +// * means it should match any namespace string +var purlEcosystems = map[string]map[string]Ecosystem{ + "apk": {"alpine": EcosystemAlpine}, + "cargo": {"*": EcosystemCratesIO}, + "deb": {"debian": EcosystemDebian}, + "hex": {"*": EcosystemHex}, + "golang": {"*": EcosystemGo}, + "maven": {"*": EcosystemMaven}, + "nuget": {"*": EcosystemNuGet}, + "npm": {"*": EcosystemNPM}, + "composer": {"*": EcosystemPackagist}, + "generic": {"*": EcosystemOSSFuzz}, + "pypi": {"*": EcosystemPyPI}, + "gem": {"*": EcosystemRubyGems}, +} + +func getPURLEcosystem(pkgURL packageurl.PackageURL) Ecosystem { + ecoMap, ok := purlEcosystems[pkgURL.Type] + if !ok { + return Ecosystem(pkgURL.Type + ":" + pkgURL.Namespace) + } + + wildcardRes, hasWildcard := ecoMap["*"] + if hasWildcard { + return wildcardRes + } + + ecosystem, ok := ecoMap[pkgURL.Namespace] + if !ok { + return Ecosystem(pkgURL.Type + ":" + pkgURL.Namespace) + } + + return ecosystem } // PURLToPackage converts a Package URL string to models.PackageInfo @@ -24,10 +46,7 @@ func PURLToPackage(purl string) (PackageInfo, error) { if err != nil { return PackageInfo{}, err } - ecosystem, ok := purlEcosystems[parsedPURL.Type] - if !ok { - ecosystem = Ecosystem(parsedPURL.Type) - } + ecosystem := getPURLEcosystem(parsedPURL) // PackageInfo expects the full namespace in the name for ecosystems that specify it. name := parsedPURL.Name diff --git a/pkg/models/purl_to_package_test.go b/pkg/models/purl_to_package_test.go index c6623e790e..310607690b 100644 --- a/pkg/models/purl_to_package_test.go +++ b/pkg/models/purl_to_package_test.go @@ -52,7 +52,7 @@ func TestPURLToPackage(t *testing.T) { }, }, { - name: "valid Debian maven", + name: "valid PURL Debian", args: args{ purl: "pkg:deb/debian/nginx@2.36.1-8+deb11u1", }, @@ -62,6 +62,17 @@ func TestPURLToPackage(t *testing.T) { Ecosystem: string(models.EcosystemDebian), }, }, + { + name: "valid PURL alpine", + args: args{ + purl: "pkg:apk/alpine/zlib@1.2.13-r0?arch=x86_64upstream=zlib&distro=alpine-3.17.2", + }, + want: models.PackageInfo{ + Name: "zlib", + Version: "1.2.13-r0", + Ecosystem: string(models.EcosystemAlpine), + }, + }, { name: "invalid PURL", args: args{