search

anchore / syft

CLI tool and library for generating a Software Bill of Materials from container images and filesystems
Apache License 2.0
6.15k stars 567 forks source link

rpm-db-cataloger does not detect anything when pointing directly to db (e.g. /usr/lib/sysimage/rpm/Packages) #1550

Open erhanX opened 1 year ago

erhanX commented 1 year ago

I am trying to speed up my scan process and want to point directly to the rpmdb at /usr/lib/sysimage/rpm/Packages but it does only show 0 cataloged packages. It works point at /var/lib though where a symlink is to that folder:

ls -lah /var/lib/
lrwxrwxrwx  1 root    root     26 Jul 18  2022 rpm -> ../../usr/lib/sysimage/rpm

Command outputs for comparison:

syft packages --catalogers rpm-db-cataloger --file sbom.json --output syft-json /var/lib/
 ✔ Indexed /var/lib
 ✔ Cataloged packages      [1154 packages]

syft packages --catalogers rpm-db-cataloger --file sbom.json --output syft-json /var/lib/rpm/Packages
 ✔ Indexed /usr/lib/sysimage/rpm/Packages
 ✔ Cataloged packages      [0 packages]

syft packages --catalogers rpm-db-cataloger --file sbom.json --output syft-json /usr/lib/sysimage/rpm/Packages
 ✔ Indexed /usr/lib/sysimage/rpm/Packages
 ✔ Cataloged packages      [0 packages]

syft packages --catalogers rpm-db-cataloger --file sbom.json --output syft-json /usr/lib/sysimage/rpm/
 ✔ Indexed /usr/lib/sysimage/rpm
 ✔ Cataloged packages      [0 packages]

Sbom output:

 {
   "id": "fc07b91ae8e7c6ac",
   "name": "alsa-utils",
   "version": "1.2.6-150400.1.4",
   "type": "rpm",
   "foundBy": "rpm-db-cataloger",
   "locations": [
    {
     "path": "/usr/lib/sysimage/rpm/Packages"
    }
   ],
   "licenses": [
    "GPL-2.0-or-later"

Environment:

tgerla commented 1 year ago

Hi @erhanX, thanks for the report. The team has taken a look at this and we have some ideas how to fix the problem. In the meantime, we have made some recent improvements in Syft's performance in 0.71 and later. Can you try that and see if your performance improves?

tgerla commented 1 year ago

We might need to change the RPM db glob pattern to **/rpm instead of using the full /var/lib/rpm path:

https://github.com/anchore/syft/blob/41cbbe09b205e3b80e8a57d4f7a509b5f938557d/syft/pkg/rpm_metadata.go#LL14C12-L14C12