search

anthonyharrison / distro2SBOM

Generates SBOM files from system packaging information
Apache License 2.0
10 stars 7 forks source link

Debian Recommends dependencies are not shown in SBOM... #14

Open jimvert opened 3 months ago

jimvert commented 3 months ago

For example, here's the dependency information for openssh-server:

Provides: ssh-server
Depends: adduser (>= 3.9), dpkg (>= 1.9.0), libpam-modules (>= 0.72-9), libpam-runtime (>= 0.76-14), lsb-base (>= 4.1+Debian3), openssh-client (= 1:8.9p1-3ubuntu0.6), openssh-sftp-server, procps, ucf (>= 0.28), debconf (>= 0.5) | debconf-2.0, libaudit1 (>= 1:2.2.1), libc6 (>= 2.34), libcom-err2 (>= 1.43.9), libcrypt1 (>= 1:4.1.0), libgssapi-krb5-2 (>= 1.17), libkrb5-3 (>= 1.13~alpha1+dfsg), libpam0g (>= 0.99.7.1), libselinux1 (>= 3.1~), libssl3 (>= 3.0.2), libsystemd0, libwrap0 (>= 7.6-4~), zlib1g (>= 1:1.1.4)
Pre-Depends: init-system-helpers (>= 1.54~)
Recommends: default-logind | logind | libpam-systemd, ncurses-term, xauth, ssh-import-id

From the build perspective, ssh-import-id was installed based on the Recommends line above under openssh-server, and from the SBOM, ssh-import-id does show up:

    {
      "type": "library",
      "bom-ref": "447-ssh-import-id",
      "name": "ssh-import-id",
      "version": "5.11",
      "supplier": {
        "name": "Ubuntu Developers",
        "contact": [
          {
            "email": "ubuntu-devel-discuss@lists.ubuntu.com"
          }
        ]
      },
      "cpe": "cpe:2.3:a:ubuntu_developers:ssh-import-id:5.11-0ubuntu1:*:*:*:*:*:*:*",
      "description": "securely retrieve an SSH public key and install it locally",
      "externalReferences": [
        {
          "url": "http://launchpad.net/ssh-import-id",
          "type": "website",
          "comment": "Home page for project"
        }
      ],
      "purl": "pkg:deb/ssh-import-id@5.11-0ubuntu1"
    }

If I look at the SBOM dependencies for openssh-server, though, ssh-import-id doesn't show up:

    {
      "ref": "111-openssh-server",
      "dependsOn": [
        "2-adduser",
        "112-dpkg",
        "19-libpam-modules",
        "114-libpam-runtime",
        "27-lsb-base",
        "115-openssh-client",
        "122-openssh-sftp-server",
        "123-procps",
        "129-ucf",
        "12-debconf",
        "4-libaudit1",
        "6-libc6",
        "81-libcom-err2",
        "9-libcrypt1",
        "80-libgssapi-krb5-2",
        "84-libkrb5-3",
        "11-libpam0g",
        "13-libselinux1",
        "24-libssl3",
        "43-libsystemd0",
        "132-libwrap0",
        "39-zlib1g"
      ]
    }

It's confusing looking at the SBOM to see ssh-import-id show up without having traceability to the Debian package that pulls in ssh-import-id.