[x] research fixing in Syft instead - nothing to be done; grype wasn't using Syft's API very well.
Explanation
Basically, when we're cataloging we remove some packages by ownership overlap, (e.g. if you're on redhat and do yum install python3-urllib, grype will drop the PyPI package urllib in favor of the RPM python3-urllib, because we have better match information for the distro package than for PyPI, e.g. because RedHad backported a fix to an old version of the python code or something).
We do this:
from, ok := r.From.(pkg.Package)
if ok && excludePackage(comprehensiveDistroFeed, p, from) {
continue
}
Which seems fine, however, some relationships have a From of type *pkg.Package, not type pkg.Package (pointer vs struct). This causes the type assertion in grype to always fail, resulting FPs.
The underlying reason is that the syft scanner does this:
when building the relationship. And catalog.Package(id) returns a *Package.
However, when we're decoding an SBOM, the relationship builder looks over catalog.Sorted(), which is a []Package.
We can compensate for this in grype by trying to type assert to both pkg.Package and *pkg.Package. I think that's the easier way, and I feel like the "right" way (making Syft either always put a pointer in the To/From field of a relationship or never do so) might end up breaking the type signature of something exported, which we wanted to avoid in 1.0. Grype PR soon, but definitely open to feedback on the approach.
TODO
Explanation
Basically, when we're cataloging we remove some packages by ownership overlap, (e.g. if you're on redhat and do
yum install python3-urllib
, grype will drop the PyPI packageurllib
in favor of the RPMpython3-urllib
, because we have better match information for the distro package than for PyPI, e.g. because RedHad backported a fix to an old version of the python code or something).We do this:
Which seems fine, however, some relationships have a From of type
*pkg.Package
, not typepkg.Package
(pointer vs struct). This causes the type assertion in grype to always fail, resulting FPs.The underlying reason is that the syft scanner does this:
when building the relationship. And catalog.Package(id) returns a
*Package
.However, when we're decoding an SBOM, the relationship builder looks over
catalog.Sorted()
, which is a[]Package
.We can compensate for this in grype by trying to type assert to both
pkg.Package
and*pkg.Package
. I think that's the easier way, and I feel like the "right" way (making Syft either always put a pointer in the To/From field of a relationship or never do so) might end up breaking the type signature of something exported, which we wanted to avoid in 1.0. Grype PR soon, but definitely open to feedback on the approach.