Filter out packages owned by OS packages

For example, if the rpm "python3-rpm" is installed, it brings a python package called "rpm" with it, which is just python bindings to RPM. But this python package is part of "python3-rpm", and should not be matched against directly. Signed-off-by: Will Murphy <[email protected]>
anchore · Jul 13, 2023 · 32a96ce · 32a96ce
1 parent 9050883
commit 32a96ce
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 0 deletions.
diff --git a/grype/pkg/package.go b/grype/pkg/package.go
@@ -135,14 +135,29 @@ func excludePackage(p pkg.Package, parent pkg.Package) bool {
 		return false
 	}
 
+	// If the parent is an OS package and the child is not, exclude the child
+	if isOSPackage(parent) && !isOSPackage(p) {
+		return true
+	}
+
 	// filter out only binary pkg, empty types, or equal types
 	if p.Type != pkg.BinaryPkg && p.Type != "" && p.Type != parent.Type {
+		// when I fix the version info, I think this one will exclude it.
 		return false
 	}
 
 	return true
 }
 
+func isOSPackage(p pkg.Package) bool {
+	switch p.Type {
+	case pkg.DebPkg, pkg.RpmPkg, pkg.ApkPkg:
+		return true
+	default:
+		return false
+	}
+}
+
 func dataFromPkg(p pkg.Package) (MetadataType, interface{}, []UpstreamPackage) {
 	var metadata interface{}
 	var upstreams []UpstreamPackage

diff --git a/grype/pkg/package_test.go b/grype/pkg/package_test.go
@@ -666,6 +666,13 @@ func Test_RemoveBinaryPackagesByOverlap(t *testing.T) {
 				[]string{"rpm:[email protected] -> apk:[email protected]"}),
 			expectedPackages: []string{"apk:[email protected]", "rpm:[email protected]"},
 		},
+		{
+			name: "python bindings for system RPM install",
+			sbom: catalogWithOverlaps(
+				[]string{"rpm:[email protected]", "python:[email protected]"},
+				[]string{"rpm:[email protected] -> python:[email protected]"}),
+			expectedPackages: []string{"rpm:[email protected]"},
+		},
 	}
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {