anchore / syft

CLI tool and library for generating a Software Bill of Materials from container images and filesystems
Apache License 2.0
6.34k stars 580 forks source link

Distinguish OS package vs unofficial packages #2549

Open wagoodman opened 10 months ago

wagoodman commented 10 months ago

Today syft does not distinguish between RPMs from the official distro provider vs RPMs that were curled and installed from unofficial sources. This is valuable to detect, and applies to mulitple ecosystems, but the solution is not straight forward or obvious in all cases.

The ecosystems to cover should at least be all of the OS distros we support:

wagoodman commented 10 months ago

There is a ongoing conversation about how to do this with alpine packages: https://github.com/anchore/grype/issues/827 . As of this time it isn't clear what the way forward is for alpine.

wagoodman commented 10 months ago

There is also another issue that talks about multiple ecosystems, primarily Redhat and Debian https://github.com/anchore/syft/issues/1607

westonsteimel commented 10 months ago

What about an approach in grype in the meantime within SearchByDistro where it would first search in the distro namespace for any packages matching the name (or parent package name), and if it finds nothing fall back to CPE matching? Maybe make it configurable or something?