Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-layer view of what's inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more.
The get_base_bin() function in default_common.py iterates through
all of the entries in base.yml and for each entry checks the existence
of each 'path' value in order to locate a valid binary. When the first
binary path is located, Tern should break out of both loops and return
the found binary value. However, due to a logic oversight Tern was only
breaking out of the first loop which meant the function continued to
look for valid binary paths, even after one was found.
For most base OSes this is not an issue because additional binary paths
will not exist. For certain base OSes like photon, however, this was
problematic because both tdnf and rpm binary paths exist even though
only the tdnf binary actually works for package metadata collection.
This commit adds code to break out of the second loop once a valid
binary is found.
The
get_base_bin()function indefault_common.pyiterates through all of the entries in base.yml and for each entry checks the existence of each 'path' value in order to locate a valid binary. When the first binary path is located, Tern should break out of both loops and return the found binary value. However, due to a logic oversight Tern was only breaking out of the first loop which meant the function continued to look for valid binary paths, even after one was found.For most base OSes this is not an issue because additional binary paths will not exist. For certain base OSes like photon, however, this was problematic because both
tdnfandrpmbinary paths exist even though only thetdnfbinary actually works for package metadata collection.This commit adds code to break out of the second loop once a valid binary is found.
Resolves #1156
Signed-off-by: Rose Judge rjudge@vmware.com