willmurphyscode
commented
4 days ago Adding a few research questions here:
- Has anything changed in how GitLab does this since the issue was opened?
- How do we want packages in the /opt/gitlab/version-manifest.json to interact with other catalogers? For example, @westonsteimel found
curlin one, but it's likely the binary classifier will also find curl. Should we do any deduplicating? - How do we want to create a package product from
/RELEASE? I think emitting some package that represent gitlab itself should be done, but I'm not sure exactly what it should look like. - It seems like the "catalog gitlab itself from
/RELEASE" and "catalog packages gitlab says it bundled from/opt/gitlab/version-manifest.jsonmight be different catalogers. Should they be split out so they can be enabled/disabled separately?
After we do some more research here, we can pick back up #2788 and try to get it in.
What would you like to be added:
Create a new cataloger specifically for GitLab installations. In the GitLab official images there is a RELEASE file in the root of the filesystem that identifies the GitLab installation and version. There is also a more detailed manifest file detailing the installation and vendored dependencies at
/opt/gitlab/version-manifest.jsonFor
docker.io/gitlab/gitlab-ce:15.6.1-ce.0@sha256:04d4219d5dfb3acccc9997e50477c8d24b371387a95857e1ea8fc779e17a716c:/RELEASE
```sh RELEASE_PACKAGE=gitlab-ce RELEASE_VERSION=15.6.1-ce.0 ```/opt/gitlab/version-manifest.json
```sh { "manifest_format": 2, "software": { "cacerts": { "locked_version": "2022.07.19", "locked_source": { "sha256": "6ed95025fba2aef0ce7b647607225745624497f876d74ef6ec22b26e73e9de77", "url": "https://curl.haxx.se/ca/cacert-2022-07-19.pem" }, "source_type": "url", "described_version": "2022.07.19", "display_version": "20220719", "vendor": null, "license": "MPL-2.0" }, "config_guess": { "locked_version": "c9092d05347c925a26f6887980e185206e13f9d6", "locked_source": { "git": "git@dev.gitlab.org:omnibus-mirror/config_guess.git" }, "source_type": "git", "described_version": "c9092d05347c925a26f6887980e185206e13f9d6", "display_version": "c9092d05347c925a26f6887980e185206e13f9d6", "vendor": null, "license": "GPL-3.0 (with exception)" }, "openssl": { "locked_version": "29708a562a1887a91de0fa6ca668c71871accde9", "locked_source": { "git": "git@dev.gitlab.org:omnibus-mirror/openssl.git" }, "source_type": "git", "described_version": "OpenSSL_1_1_1q", "display_version": "1.1.1q", "vendor": "openssl", "license": "OpenSSL" }, "redis": { "locked_version": "e6f67092f8d4d81761a60c46011d1ff1dc3c2628", "locked_source": { "git": "git@dev.gitlab.org:omnibus-mirror/redis.git" }, "source_type": "git", "described_version": "6.2.7", "display_version": "6.2.7", "vendor": null, "license": "BSD-3-Clause" }, "ncurses": { "locked_version": "4c9f63c460cb7134f142aa65f6866c175ed77605", "locked_source": { "git": "git@dev.gitlab.org:omnibus-mirror/ncurses.git" }, "source_type": "git", "described_version": "4c9f63c460cb7134f142aa65f6866c175ed77605", "display_version": "6.3-20220416", "vendor": null, "license": "MIT" }, "libedit": { "locked_version": "20120601-3.0", "locked_source": { "sha256": "51f0f4b4a97b7ebab26e7b5c2564c47628cdb3042fd8ba8d0605c719d2541918", "url": "http://www.thrysoee.dk/editline/libedit-20120601-3.0.tar.gz" }, "source_type": "url", "described_version": "20120601-3.0", "display_version": "20120601-3.0", "vendor": null, "license": "BSD-3-Clause" }, "pcre": { "locked_version": "8.44", "locked_source": { "sha256": "aecafd4af3bd0f3935721af77b889d9024b2e01d96b58471bd91a3063fb47728", "url": "http://downloads.sourceforge.net/project/pcre/pcre/8.44/pcre-8.44.tar.gz" }, "source_type": "url", "described_version": "8.44", "display_version": "8.44", "vendor": null, "license": "BSD-2-Clause" }, "zlib": { "locked_version": "04f42ceca40f73e2978b50e93806c2a18c1281fc", "locked_source": { "git": "git@dev.gitlab.org:omnibus-mirror/zlib.git" }, "source_type": "git", "described_version": "v1.2.13", "display_version": "v1.2.13", "vendor": null, "license": "Zlib" }, "nginx-module-vts": { "locked_version": "d6aead19ab52834ad748f14dc536b9128ee22372", "locked_source": { "git": "git@dev.gitlab.org:omnibus-mirror/nginx-module-vts.git" }, "source_type": "git", "described_version": "v0.1.18", "display_version": "v0.1.18", "vendor": null, "license": "BSD-2-Clause" }, "ngx_security_headers": { "locked_version": "99b270d4b85f0b38a287eaaccc5a565ccca21ce1", "locked_source": { "git": "git@dev.gitlab.org:omnibus-mirror/ngx_security_headers.git" }, "source_type": "git", "described_version": "0.0.9", "display_version": "0.0.9", "vendor": null, "license": "BSD-2-Clause" }, "libtool": { "locked_version": "2.4.6", "locked_source": { "sha256": "e3bd4d5d3d025a36c21dd6af7ea818a2afcd4dfc1ea5a17b39d7854bcd0c06e3", "url": "https://ftp.gnu.org/gnu/libtool/libtool-2.4.6.tar.gz" }, "source_type": "url", "described_version": "2.4.6", "display_version": "2.4.6", "vendor": null, "license": "GPL-2.0" }, "libffi": { "locked_version": "3.2.1", "locked_source": { "sha256": "d06ebb8e1d9a22d19e38d63fdb83954253f39bedc5d46232a05645685722ca37", "url": "ftp://sourceware.org/pub/libffi/libffi-3.2.1.tar.gz" }, "source_type": "url", "described_version": "3.2.1", "display_version": "3.2.1", "vendor": null, "license": "MIT" }, "libyaml": { "locked_version": "0.2.5", "locked_source": { "sha256": "c642ae9b75fee120b2d96c712538bd2cf283228d2337df2cf2988e3c02678ef4", "url": "https://pyyaml.org/download/libyaml/yaml-0.2.5.tar.gz" }, "source_type": "url", "described_version": "0.2.5", "display_version": "0.2.5", "vendor": null, "license": "MIT" }, "libiconv": { "locked_version": "1.15", "locked_source": { "url": "https://ftp.gnu.org/pub/gnu/libiconv/libiconv-1.15.tar.gz", "sha256": "ccf536620a45458d26ba83887a983b96827001e92a13847b45e4925cc8913178" }, "source_type": "url", "described_version": "1.15", "display_version": "1.15", "vendor": null, "license": "LGPL-2.1" }, "jemalloc": { "locked_version": "54eaed1d8b56b1aa528be3bdd1877e59c56fa90c", "locked_source": { "git": "git@dev.gitlab.org:omnibus-mirror/jemalloc.git" }, "source_type": "git", "described_version": "5.3.0", "display_version": "5.3.0", "vendor": null, "license": "jemalloc" }, "ruby": { "locked_version": "2.7.6", "locked_source": { "sha256": "e7203b0cc09442ed2c08936d483f8ac140ec1c72e37bb5c401646b7866cb5d10", "url": "https://cache.ruby-lang.org/pub/ruby/2.7/ruby-2.7.6.tar.gz" }, "source_type": "url", "described_version": "2.7.6", "display_version": "2.7.6", "vendor": null, "license": "BSD-2-Clause" }, "rb-readline": { "locked_version": "9fba246073f78831b7c7129c76cc07d8476a8892", "locked_source": { "git": "git@dev.gitlab.org:omnibus-mirror/rb-readline.git" }, "source_type": "git", "described_version": "master", "display_version": "master", "vendor": null, "license": "BSD-3-Clause" }, "popt": { "locked_version": "1.16", "locked_source": { "url": "https://ftp.osuosl.org/pub/blfs/conglomeration/popt/popt-1.16.tar.gz", "sha256": "e728ed296fe9f069a0e005003c3d6b2dde3d9cad453422a10d6558616d304cc8" }, "source_type": "url", "described_version": "1.16", "display_version": "1.16", "vendor": null, "license": "MIT" }, "grafana": { "locked_version": "c0e2ad126c0e83928f3a358e159f442f21cf8d08", "locked_source": { "git": "git@dev.gitlab.org:omnibus-mirror/grafana.git" }, "source_type": "git", "described_version": "v7.5.16", "display_version": "v7.5.16", "vendor": null, "license": "APACHE-2.0" }, "libossp-uuid": { "locked_version": "1.6.2", "locked_source": { "sha256": "11a615225baa5f8bb686824423f50e4427acd3f70d394765bdff32801f0fd5b0", "url": "https://www.mirrorservice.org/sites/ftp.ossp.org/pkg/lib/uuid/uuid-1.6.2.tar.gz" }, "source_type": "url", "described_version": "1.6.2", "display_version": "1.6.2", "vendor": null, "license": "MIT" }, "postgresql_new": { "locked_version": "13.8", "locked_source": { "sha256": "73876fdd3a517087340458dca4ce15b8d2a4dbceb334c0441424551ae6c4cded", "url": "https://ftp.postgresql.org/pub/source/v13.8/postgresql-13.8.tar.bz2" }, "source_type": "url", "described_version": "13.8", "display_version": "13.8", "vendor": null, "license": "PostgreSQL" }, "acme-client": { "locked_version": "2.0.11", "locked_source": null, "source_type": "project_local", "described_version": "2.0.11", "display_version": "2.0.11", "vendor": null, "license": "MIT" }, "compat_resource": { "locked_version": "e36200f6b804915b68a4ce74c8b7a293c041d9fe", "locked_source": { "git": "git@dev.gitlab.org:omnibus-mirror/compat_resource.git" }, "source_type": "git", "described_version": "v12.19.1", "display_version": "v12.19.1", "vendor": null, "license": "Apache-2.0" }, "bundler": { "locked_version": "2.3.15", "locked_source": null, "source_type": "project_local", "described_version": "2.3.15", "display_version": "2.3.15", "vendor": null, "license": "MIT" }, "omnibus-ctl": { "locked_version": "8f7b82e91a917a6cda31a9fed1e431ca66ef34f3", "locked_source": { "git": "git@dev.gitlab.org:omnibus-mirror/omnibus-ctl.git" }, "source_type": "git", "described_version": "0.6.0.1", "display_version": "0.6.0.1", "vendor": null, "license": "Apache-2.0" }, "curl": { "locked_version": "cd95ee9f771361acf241629d2fe5507e308082a2", "locked_source": { "git": "git@dev.gitlab.org:omnibus-mirror/curl.git" }, "source_type": "git", "described_version": "curl-7_86_0", "display_version": "7.86.0", "vendor": "haxx", "license": "MIT" }, "pcre2": { "locked_version": "3103b8f20a3b9944b177e812fde29fbfb8b90558", "locked_source": { "git": "git@dev.gitlab.org:omnibus-mirror/pcre2.git" }, "source_type": "git", "described_version": "pcre2-10.40", "display_version": "10.40", "vendor": null, "license": "BSD-2-Clause" }, "pkg-config-lite": { "locked_version": "0.28-1", "locked_source": { "sha256": "21b76ec4e115ee30f9b3077a2506e48e8b837332ed4d30c9776502e69c6a29e5", "url": "https://downloads.sourceforge.net/project/pkgconfiglite/0.28-1/pkg-config-lite-0.28-1.tar.gz" }, "source_type": "url", "described_version": "0.28-1", "display_version": "0.28-1", "vendor": null, "license": "GPL-2.0" }, "liblzma": { "locked_version": "5.2.4", "locked_source": { "url": "http://tukaani.org/xz/xz-5.2.4.tar.gz", "sha256": "b512f3b726d3b37b6dc4c8570e137b9311e7552e8ccbab4d39d47ce5f4177145" }, "source_type": "url", "described_version": "5.2.4", "display_version": "5.2.4", "vendor": null, "license": "Public-Domain" }, "libxml2": { "locked_version": "2.10.3", "locked_source": { "sha256": "5d2cc3d78bec3dbe212a9d7fa629ada25a7da928af432c93060ff5c17ee28a9c", "url": "https://download.gnome.org/sources/libxml2/2.10/libxml2-2.10.3.tar.xz" }, "source_type": "url", "described_version": "2.10.3", "display_version": "2.10.3", "vendor": null, "license": "MIT" }, "libxslt": { "locked_version": "1.1.35", "locked_source": { "sha256": "8247f33e9a872c6ac859aa45018bc4c4d00b97e2feac9eebc10c93ce1f34dd79", "url": "https://download.gnome.org/sources/libxslt/1.1/libxslt-1.1.35.tar.xz" }, "source_type": "url", "described_version": "1.1.35", "display_version": "1.1.35", "vendor": null, "license": "MIT" }, "rsync": { "locked_version": "3.2.7", "locked_source": { "sha256": "4e7d9d3f6ed10878c58c5fb724a67dacf4b6aac7340b13e488fb2dc41346f2bb", "url": "https://rsync.samba.org/ftp/rsync/src/rsync-3.2.7.tar.gz" }, "source_type": "url", "described_version": "3.2.7", "display_version": "3.2.7", "vendor": null, "license": "GPL v3" }, "libicu": { "locked_version": "0c5873f89bf64f6bbc0a24b84f07d79b25785a42", "locked_source": { "git": "git@dev.gitlab.org:omnibus-mirror/libicu.git" }, "source_type": "git", "described_version": "release-57-1", "display_version": "57.1", "vendor": null, "license": "MIT" }, "postgresql": { "locked_version": "12.12", "locked_source": { "sha256": "34b3f1c69408e22068c0c71b1827691f1c89153b0ad576c1a44f8920a858039c", "url": "https://ftp.postgresql.org/pub/source/v12.12/postgresql-12.12.tar.bz2" }, "source_type": "url", "described_version": "12.12", "display_version": "12.12", "vendor": null, "license": "PostgreSQL" }, "bzip2": { "locked_version": "1.0.8", "locked_source": { "sha512": "083f5e675d73f3233c7930ebe20425a533feedeaaa9d8cc86831312a6581cefbe6ed0d08d2fa89be81082f2a5abdabca8b3c080bf97218a1bd59dc118a30b9f3", "url": "https://sourceware.org/pub/bzip2/bzip2-1.0.8.tar.gz" }, "source_type": "url", "described_version": "1.0.8", "display_version": "1.0.8", "vendor": null, "license": "BSD-2-Clause" }, "python3": { "locked_version": "3.9.6", "locked_source": { "url": "https://www.python.org/ftp/python/3.9.6/Python-3.9.6.tgz", "sha256": "d0a35182e19e416fc8eae25a3dcd4d02d4997333e4ad1f2eee6010aadc3fe866" }, "source_type": "url", "described_version": "3.9.6", "display_version": "3.9.6", "vendor": null, "license": "Python-2.0" }, "python-docutils": { "locked_version": "0.16", "locked_source": null, "source_type": "project_local", "described_version": "0.16", "display_version": "0.16", "vendor": null, "license": "Public-Domain" }, "krb5": { "locked_version": "b399721b5aedacc490158c04f6a3fa77c98f0b62", "locked_source": { "git": "git@dev.gitlab.org:omnibus-mirror/krb5.git" }, "source_type": "git", "described_version": "krb5-1.17", "display_version": "1.17", "vendor": null, "license": "MIT" }, "registry": { "locked_version": "3811d58cb8df0620fb76d2333b670a2a82eeab00", "locked_source": { "git": "git@dev.gitlab.org:gitlab/container-registry.git" }, "source_type": "git", "described_version": "v3.60.2-gitlab", "display_version": "v3.60.2", "vendor": null, "license": "Apache-2.0" }, "unzip": { "locked_version": "6.0.27", "locked_source": { "url": "https://downloads.sourceforge.net/project/infozip/UnZip%206.x%20%28latest%29/UnZip%206.0/unzip60.tar.gz", "sha256": "036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37" }, "source_type": "url", "described_version": "6.0.27", "display_version": "6.0.27", "vendor": null, "license": "Info-ZIP" }, "libre2": { "locked_version": "7436831ef39b89b3a2ea50be91cf09732a900239", "locked_source": { "git": "git@dev.gitlab.org:omnibus-mirror/libre2.git" }, "source_type": "git", "described_version": "2016-02-01", "display_version": "20160201", "vendor": null, "license": "BSD" }, "libgpg-error": { "locked_version": "1.39", "locked_source": { "url": "https://www.gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.39.tar.bz2", "sha256": "4a836edcae592094ef1c5a4834908f44986ab2b82e0824a0344b49df8cdb298f" }, "source_type": "url", "described_version": "1.39", "display_version": "1.39", "vendor": null, "license": "LGPL-2.1" }, "libassuan": { "locked_version": "2.5.3", "locked_source": { "url": "https://www.gnupg.org/ftp/gcrypt/libassuan/libassuan-2.5.3.tar.bz2", "sha256": "91bcb0403866b4e7c4bc1cc52ed4c364a9b5414b3994f718c70303f7f765e702" }, "source_type": "url", "described_version": "2.5.3", "display_version": "2.5.3", "vendor": null, "license": "LGPL-2.1" }, "npth": { "locked_version": "1.6", "locked_source": { "url": "https://www.gnupg.org/ftp/gcrypt/npth/npth-1.6.tar.bz2", "sha256": "1393abd9adcf0762d34798dc34fdcf4d0d22a8410721e76f1e3afcd1daa4e2d1" }, "source_type": "url", "described_version": "1.6", "display_version": "1.6", "vendor": null, "license": "LGPL-2.1" }, "libgcrypt": { "locked_version": "1.9.4", "locked_source": { "url": "https://www.gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.9.4.tar.bz2", "sha256": "ea849c83a72454e3ed4267697e8ca03390aee972ab421e7df69dfe42b65caaf7" }, "source_type": "url", "described_version": "1.9.4", "display_version": "1.9.4", "vendor": null, "license": "LGPL-2.1" }, "libksba": { "locked_version": "1.4.0", "locked_source": { "url": "https://www.gnupg.org/ftp/gcrypt/libksba/libksba-1.4.0.tar.bz2", "sha256": "bfe6a8e91ff0f54d8a329514db406667000cb207238eded49b599761bfca41b6" }, "source_type": "url", "described_version": "1.4.0", "display_version": "1.4.0", "vendor": null, "license": "LGPL-3" }, "gnupg": { "locked_version": "2.2.23", "locked_source": { "url": "https://www.gnupg.org/ftp/gcrypt/gnupg/gnupg-2.2.23.tar.bz2", "sha256": "10b55e49d78b3e49f1edb58d7541ecbdad92ddaeeb885b6f486ed23d1cd1da5c" }, "source_type": "url", "described_version": "2.2.23", "display_version": "2.2.23", "vendor": null, "license": "LGPL-2.1" }, "gpgme": { "locked_version": "1.17.0", "locked_source": { "url": "https://www.gnupg.org/ftp/gcrypt/gpgme/gpgme-1.17.0.tar.bz2", "sha256": "4ed3f50ceb7be2fce2c291414256b20c9ebf4c03fddb922c88cda99c119a69f5" }, "source_type": "url", "described_version": "1.17.0", "display_version": "1.17.0", "vendor": null, "license": "LGPL-2.1" }, "libpng": { "locked_version": "a40189cf881e9f0db80511c382292a5604c3c3d1", "locked_source": { "git": "git@dev.gitlab.org:omnibus-mirror/libpng.git" }, "source_type": "git", "described_version": "v1.6.37", "display_version": "v1.6.37", "vendor": null, "license": "Libpng" }, "libjpeg-turbo": { "locked_version": "ecf021bc0d6f435daacff7c35ccaeef0145df1b9", "locked_source": { "git": "git@dev.gitlab.org:omnibus-mirror/libjpeg-turbo.git" }, "source_type": "git", "described_version": "2.1.2", "display_version": "2.1.2", "vendor": null, "license": "BSD-3-Clause" }, "libtiff": { "locked_version": "b6a17e567f143fab49734a9e09e5bafeb6f97354", "locked_source": { "git": "git@dev.gitlab.org:omnibus-mirror/libtiff.git" }, "source_type": "git", "described_version": "v4.4.0", "display_version": "v4.4.0", "vendor": null, "license": "libtiff" }, "graphicsmagick": { "locked_version": "1.3.36", "locked_source": { "url": "https://sourceforge.net/projects/graphicsmagick/files/graphicsmagick/1.3.36/GraphicsMagick-1.3.36.tar.gz", "sha256": "1e6723c48c4abbb31197fadf8396b2d579d97e197123edc70a4f057f0533d563" }, "source_type": "url", "described_version": "1.3.36", "display_version": "1.3.36", "vendor": null, "license": "MIT" }, "exiftool": { "locked_version": "48df8aae22faa33d830dcf2ecdf406998b4d3849", "locked_source": { "git": "git@dev.gitlab.org:omnibus-mirror/exiftool.git" }, "source_type": "git", "described_version": "12.42", "display_version": "12.42", "vendor": null, "license": "GPL-1.0 or Artistic" }, "nginx": { "locked_version": "656597b6e248868d56ed25559846ab5c58f8f3ac", "locked_source": { "git": "git@dev.gitlab.org:omnibus-mirror/nginx.git" }, "source_type": "git", "described_version": "release-1.20.2", "display_version": "1.20.2", "vendor": null, "license": "BSD-2-Clause" }, "mixlib-log": { "locked_version": "3.0.9", "locked_source": null, "source_type": "project_local", "described_version": "3.0.9", "display_version": "3.0.9", "vendor": null, "license": "Apache-2.0" }, "chef-zero": { "locked_version": "15.0.11", "locked_source": null, "source_type": "project_local", "described_version": "15.0.11", "display_version": "15.0.11", "vendor": null, "license": "Apache-2.0" }, "ohai": { "locked_version": "17.9.0", "locked_source": null, "source_type": "project_local", "described_version": "17.9.0", "display_version": "17.9.0", "vendor": null, "license": "Apache-2.0" }, "chef-gem": { "locked_version": "17.10.0", "locked_source": null, "source_type": "project_local", "described_version": "17.10.0", "display_version": "17.10.0", "vendor": null, "license": "Apache-2.0" }, "chef-bin": { "locked_version": "17.10.0", "locked_source": null, "source_type": "project_local", "described_version": "17.10.0", "display_version": "17.10.0", "vendor": null, "license": "Apache-2.0" }, "remote-syslog": { "locked_version": "1.6.15", "locked_source": null, "source_type": "project_local", "described_version": "1.6.15", "display_version": "1.6.15", "vendor": null, "license": "MIT" }, "logrotate": { "locked_version": "0a900b9435522b1314a39ead26ee7cccc91f5674", "locked_source": { "git": "git@dev.gitlab.org:omnibus-mirror/logrotate.git" }, "source_type": "git", "described_version": "3.18.0", "display_version": "3.18.0", "vendor": null, "license": "GPL-2.0" }, "runit": { "locked_version": "2.1.2", "locked_source": { "sha256": "6fd0160cb0cf1207de4e66754b6d39750cff14bb0aa66ab49490992c0c47ba18", "url": "http://smarden.org/runit/runit-2.1.2.tar.gz" }, "source_type": "url", "described_version": "2.1.2", "display_version": "2.1.2", "vendor": null, "license": "BSD-3-Clause" }, "go-crond": { "locked_version": "5bd41275c028bcb54433fb6b515731375f3c61ff", "locked_source": { "git": "git@dev.gitlab.org:omnibus-mirror/go-crond.git" }, "source_type": "git", "described_version": "22.9.1", "display_version": "22.9.1", "vendor": null, "license": "BSD-2-Clause" }, "docker-distribution-pruner": { "locked_version": "a796e3670d508529da84ac66f242d87ff7803609", "locked_source": { "git": "git@dev.gitlab.org:gitlab/docker-distribution-pruner.git" }, "source_type": "git", "described_version": "v0.2.0", "display_version": "v0.2.0", "vendor": null, "license": "MIT" }, "mail_room": { "locked_version": "0.0.20", "locked_source": null, "source_type": "project_local", "described_version": "0.0.20", "display_version": "0.0.20", "vendor": null, "license": "MIT" }, "grafana-dashboards": { "locked_version": "1f61ef180236d67b6dbb4921a61b7c0c1c606c3f", "locked_source": { "git": "git@dev.gitlab.org:omnibus-mirror/grafana-dashboards.git" }, "source_type": "git", "described_version": "v1.9.0", "display_version": "v1.9.0", "vendor": null, "license": "MIT" }, "alertmanager": { "locked_version": "f484b17fa3c583ed1b2c8bbcec20ba1db2aa5f11", "locked_source": { "git": "git@dev.gitlab.org:omnibus-mirror/alertmanager.git" }, "source_type": "git", "described_version": "v0.24.0", "display_version": "v0.24.0", "vendor": null, "license": "APACHE-2.0" }, "node-exporter": { "locked_version": "7da1321761b3b8dfc9e496e1a60e6a476fec6018", "locked_source": { "git": "git@dev.gitlab.org:omnibus-mirror/node_exporter.git" }, "source_type": "git", "described_version": "v1.4.0", "display_version": "v1.4.0", "vendor": null, "license": "APACHE-2.0" }, "redis-exporter": { "locked_version": "19f7b036bb46869858eec74d8d3fc2186d641399", "locked_source": { "git": "git@dev.gitlab.org:omnibus-mirror/redis_exporter.git" }, "source_type": "git", "described_version": "v1.44.0", "display_version": "v1.44.0", "vendor": null, "license": "MIT" }, "postgres-exporter": { "locked_version": "b5fd2465646a09bb1c8dbd5c9c00b852da93927a", "locked_source": { "git": "git@dev.gitlab.org:omnibus-mirror/postgres_exporter.git" }, "source_type": "git", "described_version": "v0.11.1", "display_version": "v0.11.1", "vendor": null, "license": "Apache-2.0" }, "prometheus": { "locked_version": "818d6e60888b2a3ea363aee8a9828c7bafd73699", "locked_source": { "git": "git@dev.gitlab.org:omnibus-mirror/prometheus.git" }, "source_type": "git", "described_version": "v2.38.0", "display_version": "v2.38.0", "vendor": null, "license": "APACHE-2.0" }, "gitlab-exporter": { "locked_version": "12.0.1", "locked_source": null, "source_type": "project_local", "described_version": "12.0.1", "display_version": "12.0.1", "vendor": null, "license": "MIT" }, "mattermost": { "locked_version": "7.4.0", "locked_source": { "url": "https://releases.mattermost.com/7.4.0/mattermost-team-7.4.0-linux-amd64.tar.gz", "sha256": "530118ced6f0f2bf9f3ae98cfec43bf1f2a0a35a52913ba60c0203fadacd9b10" }, "source_type": "url", "described_version": "7.4.0", "display_version": "7.4.0", "vendor": null, "license": "MIT with Trademark Protection" }, "gitlab-cookbooks": { "locked_version": null, "locked_source": { "path": "/builds/gitlab/omnibus-gitlab/files/gitlab-cookbooks" }, "source_type": "path", "described_version": null, "display_version": null, "vendor": null, "license": "Apache-2.0" }, "chef-acme": { "locked_version": "b7879bfa54ca82786e9688c12cf68570f9cfb526", "locked_source": { "git": "git@dev.gitlab.org:omnibus-mirror/chef-acme.git" }, "source_type": "git", "described_version": "v4.1.5", "display_version": "v4.1.5", "vendor": null, "license": "Apache-2.0" }, "gitlab-ctl": { "locked_version": null, "locked_source": { "path": "/builds/gitlab/omnibus-gitlab/files/gitlab-ctl-commands" }, "source_type": "path", "described_version": null, "display_version": null, "vendor": null, "license": "Apache-2.0" }, "gitlab-psql": { "locked_version": "4ac3cc368e73f3750591493104798fce", "locked_source": null, "source_type": "project_local", "described_version": "4ac3cc368e73f3750591493104798fce", "display_version": "4ac3cc368e73f3750591493104798fce", "vendor": null, "license": "Apache-2.0" }, "gitlab-redis-cli": { "locked_version": "3ffeaf38747880b81c97f0473e60d148", "locked_source": null, "source_type": "project_local", "described_version": "3ffeaf38747880b81c97f0473e60d148", "display_version": "3ffeaf38747880b81c97f0473e60d148", "vendor": null, "license": "Apache-2.0" }, "gitlab-healthcheck": { "locked_version": "a89dae24720a761a707015f8b0cbbb45", "locked_source": null, "source_type": "project_local", "described_version": "a89dae24720a761a707015f8b0cbbb45", "display_version": "a89dae24720a761a707015f8b0cbbb45", "vendor": null, "license": "Apache-2.0" }, "gitlab-selinux": { "locked_version": null, "locked_source": { "path": "/builds/gitlab/omnibus-gitlab/files/gitlab-selinux" }, "source_type": "path", "described_version": null, "display_version": null, "vendor": null, "license": "Apache-2.0" }, "gitlab-scripts": { "locked_version": null, "locked_source": { "path": "/builds/gitlab/omnibus-gitlab/files/gitlab-scripts" }, "source_type": "path", "described_version": null, "display_version": null, "vendor": null, "license": "Apache-2.0" }, "gitlab-config-template": { "locked_version": null, "locked_source": { "path": "/builds/gitlab/omnibus-gitlab/files/gitlab-config-template" }, "source_type": "path", "described_version": null, "display_version": null, "vendor": null, "license": "Apache-2.0" }, "gitlab-kas": { "locked_version": "864a221ae320998681e6e96a685ffb8a3d296c4b", "locked_source": { "git": "git@dev.gitlab.org:gitlab/cluster-integration/gitlab-agent.git" }, "source_type": "git", "described_version": "v15.6.0", "display_version": "v15.6.0", "vendor": null, "license": "MIT" }, "gitlab-shell": { "locked_version": "b42a398c92565630b541e55c2c6c0ce47cf10b58", "locked_source": { "git": "git@dev.gitlab.org:gitlab/gitlab-shell.git" }, "source_type": "git", "described_version": "v14.13.0", "display_version": "v14.13.0", "vendor": null, "license": "MIT" }, "gitlab-pages": { "locked_version": "6baf899298aaac3bdb5674df797c5d93b57dff77", "locked_source": { "git": "git@dev.gitlab.org:gitlab/gitlab-pages.git" }, "source_type": "git", "described_version": "v1.63.0", "display_version": "v1.63.0", "vendor": null, "license": "MIT" }, "git": { "locked_version": "ffc6124afed909cbfd224f1ceb43ace83f07c223", "locked_source": { "git": "git@dev.gitlab.org:gitlab/gitaly" }, "source_type": "git", "described_version": "v15.6.1", "display_version": "v15.6.1", "vendor": "gitlab", "license": "GPL-2.0" }, "gitlab-rails": { "locked_version": "779fe6c4b74b73e2db8ab7cb8d304fcbbd73a704", "locked_source": { "git": "git@dev.gitlab.org:gitlab/gitlabhq.git" }, "source_type": "git", "described_version": "v15.6.1", "display_version": "v15.6.1", "vendor": null, "license": "MIT" }, "gitaly": { "locked_version": "ffc6124afed909cbfd224f1ceb43ace83f07c223", "locked_source": { "git": "git@dev.gitlab.org:gitlab/gitaly" }, "source_type": "git", "described_version": "v15.6.1", "display_version": "v15.6.1", "vendor": null, "license": "MIT" }, "package-scripts": { "locked_version": "15.6.1+ce.0", "locked_source": null, "source_type": "project_local", "described_version": "15.6.1+ce.0", "display_version": "15.6.1+ce.0", "vendor": null, "license": "Apache-2.0" }, "version-manifest": { "locked_version": "0.0.1", "locked_source": null, "source_type": "project_local", "described_version": "0.0.1", "display_version": "0.0.1", "vendor": null, "license": "project_license" } }, "build_version": "15.6.1", "build_git_revision": "e3d1cd74ef1abe2b9514d8aa64c065b434becd3a", "license": "MIT" } ```Why is this needed:
Currently syft will pick up that GitLab is installed as a Debian package; however, this leads to problems later on in grype when trying to match vulnerabilities because it will match against the Debian security feed and since GitLab isn't actually a Debian-supported package it will never find any relevant matches. I'm not sure what the best solution is to that case in general, but for GitLab specifically it feels like there could be value in creating a dedicated cataloger that might be able to account for this and also pick up on the extra dependency relationship details embedded in the manifest file.
Additional context: I think I spoke to @wagoodman about this quite some time ago but forgot to capture an issue for it