k8s-triage-robot
commented
5 months ago The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue as fresh with
/remove-lifecycle stale - Close this issue with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
puerco
What happened:
I was testing the RPM scanner functionality and noticed it was returning no packages on recent Fedora images (36+), compared to running generate on debian images.
Here testing with fedora 38 amd64 image quay.io/fedora/fedora@sha256:3a1fa4954928d6b8244b36c5de3b6f30d7e6b55227f4f329bba1125a093ae4f9
Analysis
Recent Fedora and derived distributions have made
/var/lib/rpma symlink to../../usr/lib/sysimage/rpmThis will also be broken on OSTree images and recent SUSE, and probably future RHEL
See https://fedoraproject.org/wiki/Changes/RelocateRPMToUsr
The current rpmdb extraction code checks that the full rpmdb (eg
var/lib/rpm/rpmdb.sqlite) path exists in the tar, however ifvar/lib/rpmis a symlink the existence check will failhttps://github.com/kubernetes-sigs/bom/blob/main/pkg/osinfo/scanner_rpm.go#L67I'm happy to create a PR to fix this
What you expected to happen:
Fedora RPM packages to be included in the generated spdx file
How to reproduce it (as minimally and precisely as possible):
go run cmd/bom/main.go generate --output=fedora.spdx --image quay.io/fedora/fedora@sha256:3a1fa4954928d6b8244b36c5de3b6f30d7e6b55227f4f329bba1125a093ae4f9go run cmd/bom/main.go document outline fedora.spdx/kind bug