Open puerco opened 1 year ago
luhring
commented
1 year ago discards some important information from the apkdb such as the declared license or the package checksum
@puerco Quick question — I understand the package checksum part, but why would it be preferable to get the declared license from the apkdb instead of getting it from the apk's SBOM?
kaniini
commented
1 year ago I think what @puerco is saying is that we should fall back to apkdb when an SBOM is not available. The SBOM should be preferred over the apkdb as the data will be richer.
luhring
commented
1 year ago The SBOM should be preferred over the apkdb as the data will be richer.
Great! If this is the philosophy, I think that's a good plan. 👍
puerco
commented
1 year ago we should fall back to apkdb when an SBOM is not available
Right, in general. We will start with the data from the apkdb and complement it with that from the apk SBOM. As of now we replace the apkdb SPDX package entirely.
Finer control should be available when we have a good composing library. For example to choose which fields when you have fields in both, etc.
Current Issue:
When apko finds an SBOM inside of an apk describing it, it will import the data from the apk SBOM and compose it in the right place in the image SBOM it builds. While the composed SBOM is structurally correct, the original SPDX package generated from the apkdb is completely replaced with the equivalent found inside the apk.
Replacing the package improves the composed SBOM as the apk SBOM should have richer data for the package but it nevertheless discards some important information from the apkdb such as the declared license or the package checksum.
Solution
This enhancement would modify apko to enrich the imported apk SPDX package with data from the original, apkdb-derived SPDX package before discarding the original package.