Distinguish OS package vs unofficial packages

anchore / syft

CLI tool and library for generating a Software Bill of Materials from container images and filesystems

Apache License 2.0

5.92k stars 545 forks source link

Distinguish OS package vs unofficial packages #2549

Open wagoodman opened 7 months ago

wagoodman commented 7 months ago

Today syft does not distinguish between RPMs from the official distro provider vs RPMs that were curled and installed from unofficial sources. This is valuable to detect, and applies to mulitple ecosystems, but the solution is not straight forward or obvious in all cases.

The ecosystems to cover should at least be all of the OS distros we support:

[ ] Redhat
[ ] Debian -- https://github.com/anchore/syft/issues/2657
[ ] Alpine
[ ] Arch
[ ] Gentoo

wagoodman commented 7 months ago

There is a ongoing conversation about how to do this with alpine packages: https://github.com/anchore/grype/issues/827 . As of this time it isn't clear what the way forward is for alpine.

wagoodman commented 7 months ago

There is also another issue that talks about multiple ecosystems, primarily Redhat and Debian https://github.com/anchore/syft/issues/1607

westonsteimel commented 7 months ago

What about an approach in grype in the meantime within SearchByDistro where it would first search in the distro namespace for any packages matching the name (or parent package name), and if it finds nothing fall back to CPE matching? Maybe make it configurable or something?