Open jkeller-astro opened 1 year ago
Thanks for reporting this. Our team was able to reproduce this issue based on the information that you provided.
We are now working on a fix to improve the handling of virtual packages as our main interest is in capturing the provider of the virtual package(which should also be in the SBOM already), as the provider is the package that would be subject to vulnerabilities in this case. In its default configuration udev is provided by either eudev or systemd.
I tried using the package exclude function in vigiles but get the following error:
When inspecting the manifest generated by the tool, it looks like there is at least one member that doesn't have the 'name' key. For me, the
udev
virtual package doesn't have aname
key, tripping up amendments.pyWhile the patch below keeps things moving, I couldn't find out why udev doesn't have a 'name' key.
I can repro this bug using
pc_x86_64_efi_defconfig
from buildroot 2022.05 and a package exclude file containing justzlib
.