Skip to content

Commit

Permalink
fix(sbom): fix wrong overwriting of applications obtained from differ…
Browse files Browse the repository at this point in the history
…ent sbom files but having same app type (#8052)
  • Loading branch information
DmitriyLewen authored Dec 5, 2024
1 parent 5e68bdc commit fd07074
Show file tree
Hide file tree
Showing 2 changed files with 39 additions and 28 deletions.
9 changes: 9 additions & 0 deletions pkg/fanal/analyzer/sbom/sbom.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import (
"context"
"os"
"path"
"slices"
"strings"

"golang.org/x/xerrors"
Expand Down Expand Up @@ -51,6 +52,14 @@ func (a sbomAnalyzer) Analyze(ctx context.Context, input analyzer.AnalysisInput)
handleBitnamiImages(path.Dir(input.FilePath), bom)
}

// FilePath for apps with aggregatingTypes is empty.
// Set the SBOM file path as Application.FilePath to correctly overwrite applications when merging layers.
for i, app := range bom.Applications {
if slices.Contains(ftypes.AggregatingTypes, app.Type) && app.FilePath == "" {
bom.Applications[i].FilePath = input.FilePath
}
}

return &analyzer.AnalysisResult{
PackageInfos: bom.Packages,
Applications: bom.Applications,
Expand Down
58 changes: 30 additions & 28 deletions pkg/fanal/analyzer/sbom/sbom_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,34 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
want: &analyzer.AnalysisResult{
Applications: []types.Application{
{
Type: types.Jar,
Type: types.Bitnami,
FilePath: "opt/bitnami/elasticsearch",
Packages: types.Packages{
{
ID: "elasticsearch@8.9.1",
Name: "elasticsearch",
Version: "8.9.1",
Arch: "arm64",
Licenses: []string{"Elastic-2.0"},
Identifier: types.PkgIdentifier{
PURL: &packageurl.PackageURL{
Type: packageurl.TypeBitnami,
Name: "elasticsearch",
Version: "8.9.1",
Qualifiers: packageurl.Qualifiers{
{
Key: "arch",
Value: "arm64",
},
},
},
},
},
},
},
{
Type: types.Jar,
FilePath: "opt/bitnami/elasticsearch/.spdx-elasticsearch.spdx",
Packages: types.Packages{
{
ID: "co.elastic.apm:apm-agent:1.36.0",
Expand Down Expand Up @@ -88,32 +115,6 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
},
},
},
{
Type: types.Bitnami,
FilePath: "opt/bitnami/elasticsearch",
Packages: types.Packages{
{
ID: "elasticsearch@8.9.1",
Name: "elasticsearch",
Version: "8.9.1",
Arch: "arm64",
Licenses: []string{"Elastic-2.0"},
Identifier: types.PkgIdentifier{
PURL: &packageurl.PackageURL{
Type: packageurl.TypeBitnami,
Name: "elasticsearch",
Version: "8.9.1",
Qualifiers: packageurl.Qualifiers{
{
Key: "arch",
Value: "arm64",
},
},
},
},
},
},
},
},
},
wantErr: require.NoError,
Expand All @@ -125,7 +126,8 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
want: &analyzer.AnalysisResult{
Applications: []types.Application{
{
Type: types.Jar,
Type: types.Jar,
FilePath: "opt/bitnami/elasticsearch/.spdx-elasticsearch.cdx",
Packages: types.Packages{
{
FilePath: "opt/bitnami/elasticsearch/modules/apm/elastic-apm-agent-1.36.0.jar",
Expand Down

0 comments on commit fd07074

Please sign in to comment.