You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
unintended artifactRelationship records of type ownership-by-file-overlap are being reported in SBOMs generated against current fedora container imges
#1077
Noticed that when generating and SBOM against latest fedora containers (e.g. docker.io/fedora:36, docker.io/fedora:37), there are many 'artifactRelationships' records of type 'ownership-by-file-overlap' specifically for '/usr/lib/sysimage/rpm/rpmdb.sqlite'. Essentially, it appears that every RPM has such a relationship record where the parent is the 'rpm' package itself. This is a change from previous fedora containers where those ownership-by-file-overlap records do not exist in the output of syft.
there is an explicit filter to ensure that the rpmdb.sqlite (matched by the global RpmDBGlob regex) is filtered out when determining whether there is a ownership-by-file-overlap type relationship, and the expectation is that the rpmdb.sqlite location in current fedora images would be filtered like is against older fedora container images.
How to reproduce it (as minimally and precisely as possible):
since fedora:36 and fedora:35 don't have substantially different composition, one can see the difference by inspecting the number and nature of the ownership-by-file-overlap records between the syft output of the two images, but a shortcut way is
I believe the fundamental reason for this new behavior is that fedora:36 (and 37, perhaps others moving forward) have introduced a change where /var/lib/rpm is a softlink to /usr/lib/sysimage/rpm, whereas in prior fedora builds /var/lib/rpm was a real directory.
# docker run -t -i fedora:35 ls -ald /var/lib/rpm
drwxr-xr-x 2 root root 4096 Feb 2 12:40 /var/lib/rpm
# docker run -t -i fedora:36 ls -ald /var/lib/rpm
lrwxrwxrwx 1 root root 26 May 6 10:10 /var/lib/rpm -> ../../usr/lib/sysimage/rpm
# docker run -t -i fedora:36 ls -ald /usr/lib/sysimage/rpm
drwxr-xr-x 2 root root 4096 May 6 10:10 /usr/lib/sysimage/rpm
because of that change, the filter in relationships_by_file_ownership.go is not working properly, since the RpmDBGlob does not account for any rpmdb.sqlite location other than "**/var/lib/rpm/{Packages,Packages.db,rpmdb.sqlite}".
I'm interested in suggestions as to whether a good solution would be to add a glob to the filter list in relationships_by_file_ownership.go to account for this difference, or to adjust the RpmDBGlob itself to account for different potential locations of the rpmdb.sqlite file (or another solution :).
After looking more closely at the logic and reviewing the two different uses of the RpmDBGlob, suggest that since this issue only effects the filtering of special files during creation of ownership-by-file-overlap type artifact relationship records, the better solution would be to add a new glob to catch the more general rpm metadata locations rather than adjusting the global RpmDBGlob itself, since that is used for other purposes.
What happened:
Noticed that when generating and SBOM against latest fedora containers (e.g. docker.io/fedora:36, docker.io/fedora:37), there are many 'artifactRelationships' records of type 'ownership-by-file-overlap' specifically for '/usr/lib/sysimage/rpm/rpmdb.sqlite'. Essentially, it appears that every RPM has such a relationship record where the parent is the 'rpm' package itself. This is a change from previous fedora containers where those ownership-by-file-overlap records do not exist in the output of syft.
What you expected to happen:
In:
syft/syft/pkg/relationships_by_file_ownership.go
Line 10 in 1e3ffbe
there is an explicit filter to ensure that the rpmdb.sqlite (matched by the global RpmDBGlob regex) is filtered out when determining whether there is a ownership-by-file-overlap type relationship, and the expectation is that the rpmdb.sqlite location in current fedora images would be filtered like is against older fedora container images.
How to reproduce it (as minimally and precisely as possible):
since fedora:36 and fedora:35 don't have substantially different composition, one can see the difference by inspecting the number and nature of the ownership-by-file-overlap records between the syft output of the two images, but a shortcut way is
Anything else we need to know?:
I believe the fundamental reason for this new behavior is that fedora:36 (and 37, perhaps others moving forward) have introduced a change where /var/lib/rpm is a softlink to /usr/lib/sysimage/rpm, whereas in prior fedora builds /var/lib/rpm was a real directory.
because of that change, the filter in relationships_by_file_ownership.go is not working properly, since the RpmDBGlob does not account for any rpmdb.sqlite location other than "**/var/lib/rpm/{Packages,Packages.db,rpmdb.sqlite}".
I'm interested in suggestions as to whether a good solution would be to add a glob to the filter list in relationships_by_file_ownership.go to account for this difference, or to adjust the RpmDBGlob itself to account for different potential locations of the rpmdb.sqlite file (or another solution :).
Environment:
syft version
:cat /etc/os-release
or similar):The text was updated successfully, but these errors were encountered: