Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: improve CPE and upstream generation logic for Alpine packages #1567

Merged
merged 9 commits into from
Feb 13, 2023

Conversation

westonsteimel
Copy link
Contributor

CPE-based matching is particularly important for the Alpine and Wolfi ecosystems since the NVD does serve as the authoritative advisory source for vulnerabilities. This improves the generation of CPE's and upstream names which are later used to provide matches in grype. In particular, it uses some seemingly well-adopted prefixes for python and ruby packages to ensure syft tailors the generation to specific logic for those ecosystems.

@github-actions
Copy link

github-actions bot commented Feb 13, 2023

Benchmark Test Results

Benchmark results from the latest changes vs base branch
goos: linux
goarch: amd64
pkg: github.com/anchore/syft/test/integration
cpu: Intel(R) Xeon(R) Platinum 8370C CPU @ 2.80GHz
                                                          │ ./.tmp/benchmark-1edd6a0.txt │
                                                          │            sec/op            │
ImagePackageCatalogers/alpmdb-cataloger-2                                   11.89m ± 30%
ImagePackageCatalogers/ruby-gemspec-cataloger-2                             844.0µ ±  1%
ImagePackageCatalogers/python-package-cataloger-2                           2.993m ±  1%
ImagePackageCatalogers/php-composer-installed-cataloger-2                   645.7µ ±  2%
ImagePackageCatalogers/javascript-package-cataloger-2                       341.9µ ±  1%
ImagePackageCatalogers/dpkgdb-cataloger-2                                   473.3µ ±  1%
ImagePackageCatalogers/rpm-db-cataloger-2                                   439.6µ ±  2%
ImagePackageCatalogers/java-cataloger-2                                     10.55m ±  1%
ImagePackageCatalogers/graalvm-native-image-cataloger-2                     7.609µ ±  5%
ImagePackageCatalogers/apkdb-cataloger-2                                    460.3µ ±  1%
ImagePackageCatalogers/go-module-binary-cataloger-2                         17.85µ ±  3%
ImagePackageCatalogers/dotnet-deps-cataloger-2                              948.3µ ±  2%
ImagePackageCatalogers/portage-cataloger-2                                  283.0µ ±  1%
ImagePackageCatalogers/sbom-cataloger-2                                     102.8µ ±  1%
ImagePackageCatalogers/binary-cataloger-2                                   140.0µ ±  5%
geomean                                                                     432.9µ

                                                          │ ./.tmp/benchmark-1edd6a0.txt │
                                                          │             B/op             │
ImagePackageCatalogers/alpmdb-cataloger-2                                   5.060Mi ± 0%
ImagePackageCatalogers/ruby-gemspec-cataloger-2                             141.8Ki ± 0%
ImagePackageCatalogers/python-package-cataloger-2                           947.3Ki ± 0%
ImagePackageCatalogers/php-composer-installed-cataloger-2                   155.9Ki ± 0%
ImagePackageCatalogers/javascript-package-cataloger-2                       95.88Ki ± 0%
ImagePackageCatalogers/dpkgdb-cataloger-2                                   144.7Ki ± 0%
ImagePackageCatalogers/rpm-db-cataloger-2                                   170.8Ki ± 0%
ImagePackageCatalogers/java-cataloger-2                                     2.723Mi ± 0%
ImagePackageCatalogers/graalvm-native-image-cataloger-2                     1.523Ki ± 0%
ImagePackageCatalogers/apkdb-cataloger-2                                    123.1Ki ± 0%
ImagePackageCatalogers/go-module-binary-cataloger-2                         3.102Ki ± 0%
ImagePackageCatalogers/dotnet-deps-cataloger-2                              314.2Ki ± 0%
ImagePackageCatalogers/portage-cataloger-2                                  75.51Ki ± 0%
ImagePackageCatalogers/sbom-cataloger-2                                     13.06Ki ± 0%
ImagePackageCatalogers/binary-cataloger-2                                   20.55Ki ± 0%
geomean                                                                     106.7Ki

                                                          │ ./.tmp/benchmark-1edd6a0.txt │
                                                          │          allocs/op           │
ImagePackageCatalogers/alpmdb-cataloger-2                                    86.71k ± 0%
ImagePackageCatalogers/ruby-gemspec-cataloger-2                              2.159k ± 0%
ImagePackageCatalogers/python-package-cataloger-2                            15.48k ± 0%
ImagePackageCatalogers/php-composer-installed-cataloger-2                    3.458k ± 0%
ImagePackageCatalogers/javascript-package-cataloger-2                        1.253k ± 0%
ImagePackageCatalogers/dpkgdb-cataloger-2                                    2.646k ± 0%
ImagePackageCatalogers/rpm-db-cataloger-2                                    3.759k ± 0%
ImagePackageCatalogers/java-cataloger-2                                      38.26k ± 0%
ImagePackageCatalogers/graalvm-native-image-cataloger-2                       40.00 ± 0%
ImagePackageCatalogers/apkdb-cataloger-2                                     3.252k ± 0%
ImagePackageCatalogers/go-module-binary-cataloger-2                           101.0 ± 0%
ImagePackageCatalogers/dotnet-deps-cataloger-2                               5.011k ± 0%
ImagePackageCatalogers/portage-cataloger-2                                   1.487k ± 0%
ImagePackageCatalogers/sbom-cataloger-2                                       392.0 ± 0%
ImagePackageCatalogers/binary-cataloger-2                                     609.0 ± 0%
geomean                                                                      2.170k

@westonsteimel westonsteimel marked this pull request as ready for review February 13, 2023 17:09
@westonsteimel westonsteimel requested a review from a team February 13, 2023 17:10
Copy link
Contributor

@kzantow kzantow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@westonsteimel westonsteimel added the bug Something isn't working label Feb 13, 2023
@westonsteimel westonsteimel merged commit 57a13ae into main Feb 13, 2023
@westonsteimel westonsteimel deleted the cpe-gen-improvements branch February 13, 2023 17:23
GijsCalis pushed a commit to GijsCalis/syft that referenced this pull request Feb 19, 2024
…nchore#1567)

* fix: improved CPE-generation logic for alpine packages

Signed-off-by: Weston Steimel <[email protected]>

* fix: improved alpine upstream name generation

Signed-off-by: Weston Steimel <[email protected]>

* fix: improve CPE vendor for alpine

Signed-off-by: Weston Steimel <[email protected]>

* fix: python vendor CPE gen

Signed-off-by: Weston Steimel <[email protected]>

* fix: alpine cpe gen logic

Signed-off-by: Weston Steimel <[email protected]>

* fix: apk CPE update for nodejs-current

Signed-off-by: Weston Steimel <[email protected]>

* fix: CPE update for python pip

Signed-off-by: Weston Steimel <[email protected]>

* fix: CPE update for some ruby packages

Signed-off-by: Weston Steimel <[email protected]>

* fix linting

Signed-off-by: Weston Steimel <[email protected]>

---------

Signed-off-by: Weston Steimel <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants