Open jimvert opened 3 months ago
For example, here's the dependency information for openssh-server:
Provides: ssh-server Depends: adduser (>= 3.9), dpkg (>= 1.9.0), libpam-modules (>= 0.72-9), libpam-runtime (>= 0.76-14), lsb-base (>= 4.1+Debian3), openssh-client (= 1:8.9p1-3ubuntu0.6), openssh-sftp-server, procps, ucf (>= 0.28), debconf (>= 0.5) | debconf-2.0, libaudit1 (>= 1:2.2.1), libc6 (>= 2.34), libcom-err2 (>= 1.43.9), libcrypt1 (>= 1:4.1.0), libgssapi-krb5-2 (>= 1.17), libkrb5-3 (>= 1.13~alpha1+dfsg), libpam0g (>= 0.99.7.1), libselinux1 (>= 3.1~), libssl3 (>= 3.0.2), libsystemd0, libwrap0 (>= 7.6-4~), zlib1g (>= 1:1.1.4) Pre-Depends: init-system-helpers (>= 1.54~) Recommends: default-logind | logind | libpam-systemd, ncurses-term, xauth, ssh-import-id
From the build perspective, ssh-import-id was installed based on the Recommends line above under openssh-server, and from the SBOM, ssh-import-id does show up:
{ "type": "library", "bom-ref": "447-ssh-import-id", "name": "ssh-import-id", "version": "5.11", "supplier": { "name": "Ubuntu Developers", "contact": [ { "email": "ubuntu-devel-discuss@lists.ubuntu.com" } ] }, "cpe": "cpe:2.3:a:ubuntu_developers:ssh-import-id:5.11-0ubuntu1:*:*:*:*:*:*:*", "description": "securely retrieve an SSH public key and install it locally", "externalReferences": [ { "url": "http://launchpad.net/ssh-import-id", "type": "website", "comment": "Home page for project" } ], "purl": "pkg:deb/ssh-import-id@5.11-0ubuntu1" }
If I look at the SBOM dependencies for openssh-server, though, ssh-import-id doesn't show up:
{ "ref": "111-openssh-server", "dependsOn": [ "2-adduser", "112-dpkg", "19-libpam-modules", "114-libpam-runtime", "27-lsb-base", "115-openssh-client", "122-openssh-sftp-server", "123-procps", "129-ucf", "12-debconf", "4-libaudit1", "6-libc6", "81-libcom-err2", "9-libcrypt1", "80-libgssapi-krb5-2", "84-libkrb5-3", "11-libpam0g", "13-libselinux1", "24-libssl3", "43-libsystemd0", "132-libwrap0", "39-zlib1g" ] }
It's confusing looking at the SBOM to see ssh-import-id show up without having traceability to the Debian package that pulls in ssh-import-id.
For example, here's the dependency information for openssh-server:
From the build perspective, ssh-import-id was installed based on the Recommends line above under openssh-server, and from the SBOM, ssh-import-id does show up:
If I look at the SBOM dependencies for openssh-server, though, ssh-import-id doesn't show up:
It's confusing looking at the SBOM to see ssh-import-id show up without having traceability to the Debian package that pulls in ssh-import-id.