twaugh
commented
1 month ago Might this end up with packages not referenced by a relationship?
Closed jasinner closed 2 weeks ago
twaugh
commented
1 month ago Might this end up with packages not referenced by a relationship?
jasinner
commented
1 month ago Might this end up with packages not referenced by a relationship?
I didn't notice earlier but there are 2 relationship types added by Syft. An 'OTHER' relationship which is removed by this PR, and the expected 'CONTAINS' one.
mprpic
commented
1 month ago The change to the openshift-pipelines-client is a bit hard to check so I visualized it with spdxshow as:
The internal mirror repo is for some reason shown three times, but the individual Go binaries are only related to one of them. Is this just an issue with the visualizer?
twaugh
commented
1 month ago The internal mirror repo is for some reason shown three times, but the individual Go binaries are only related to one of them. Is this just an issue with the visualizer?
I pushed an update to spdxshow to make this clearer. What's happening is that each source archive has the same download URL -- I don't think that's correct.
It's also using unquoted '#' in the download_url qualifier for the purl, which I also think isn't right. The PackageURL module ignores everything after that anchor.
jasinner
commented
3 weeks ago The internal mirror repo is for some reason shown three times, but the individual Go binaries are only related to one of them. Is this just an issue with the visualizer?
I pushed an update to spdxshow to make this clearer. What's happening is that each source archive has the same download URL -- I don't think that's correct.
It's also using unquoted '#' in the download_url qualifier for the purl, which I also think isn't right. The
PackageURLmodule ignores everything after that anchor.
I pushed another update which follows the openssl the midstream example previously included to include the midstream sources for openshift-pipelines-client as well.
I wasn't able to visualize it with spdx-show because of this issue with graph-viz:
$ python3 spdxshow.py relationships openshift-pipelines-client-1.14.3-11352.el8.spdx.json --no-hints | graph-easy --as=svg > rel.svg
Can't locate Graph/Easy/As_svg.pm in @INC (you may need to install the Graph::Easy::As_svg module) (@INC entries checked: /usr/local/lib64/perl5/5.38 /usr/local/share/perl5/5.38 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5) at /usr/share/perl5/vendor_perl/Graph/Easy.pm line 1752, <STDIN> line 1.For the spdxshow issue: https://bugzilla.redhat.com/show_bug.cgi?id=458661 For some reason the svg module isn't packaged.
Workaround:
$ spdxshow relationships ... --no-hints | graph-easy --as=dot | dot -Tsvg
By default Syft generates SPDX Documents where embedded dependencies discovered in a go.mod file have an extra set of 'OTHER' relationships added, in addition to the expected 'CONTAINS' relationship. Let's reduce the number of relationships in the SBOM by removing the 'OTHER' ones.
This also changes the URL used by SourceN packages to use the internal git location if a remote one is not found.
Lastly it add CPE values to RPM release manifest.