Open pnasrat opened 8 months ago
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/remove-lifecycle stale
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/remove-lifecycle rotten
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle rotten
/remove-lifecycle rotten
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/remove-lifecycle stale
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/remove-lifecycle rotten
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle rotten
What happened:
I was testing the RPM scanner functionality and noticed it was returning no packages on recent Fedora images (36+), compared to running generate on debian images.
Here testing with fedora 38 amd64 image quay.io/fedora/fedora@sha256:3a1fa4954928d6b8244b36c5de3b6f30d7e6b55227f4f329bba1125a093ae4f9
Analysis
Recent Fedora and derived distributions have made
/var/lib/rpm
a symlink to../../usr/lib/sysimage/rpm
This will also be broken on OSTree images and recent SUSE, and probably future RHEL
See https://fedoraproject.org/wiki/Changes/RelocateRPMToUsr
The current rpmdb extraction code checks that the full rpmdb (eg
var/lib/rpm/rpmdb.sqlite
) path exists in the tar, however ifvar/lib/rpm
is a symlink the existence check will failhttps://github.com/kubernetes-sigs/bom/blob/main/pkg/osinfo/scanner_rpm.go#L67I'm happy to create a PR to fix this
What you expected to happen:
Fedora RPM packages to be included in the generated spdx file
How to reproduce it (as minimally and precisely as possible):
go run cmd/bom/main.go generate --output=fedora.spdx --image quay.io/fedora/fedora@sha256:3a1fa4954928d6b8244b36c5de3b6f30d7e6b55227f4f329bba1125a093ae4f9
go run cmd/bom/main.go document outline fedora.spdx
/kind bug