unintended artifactRelationship records of type ownership-by-file-overlap are being reported in SBOMs generated against current fedora container imges

[nurmi]

What happened:

Noticed that when generating and SBOM against latest fedora containers (e.g. docker.io/fedora:36, docker.io/fedora:37), there are many 'artifactRelationships' records of type 'ownership-by-file-overlap' specifically for '/usr/lib/sysimage/rpm/rpmdb.sqlite'. Essentially, it appears that every RPM has such a relationship record where the parent is the 'rpm' package itself. This is a change from previous fedora containers where those ownership-by-file-overlap records do not exist in the output of syft.

What you expected to happen:

In:

syft/syft/pkg/relationships_by_file_ownership.go

Line 10 in 1e3ffbe

var globsForbiddenFromBeingOwned = []string{

there is an explicit filter to ensure that the rpmdb.sqlite (matched by the global RpmDBGlob regex) is filtered out when determining whether there is a ownership-by-file-overlap type relationship, and the expectation is that the rpmdb.sqlite location in current fedora images would be filtered like is against older fedora container images.

How to reproduce it (as minimally and precisely as possible):

since fedora:36 and fedora:35 don't have substantially different composition, one can see the difference by inspecting the number and nature of the ownership-by-file-overlap records between the syft output of the two images, but a shortcut way is

# syft -o json fedora:36 | grep ownership-by-file-overlap | wc
    149     298    5960

# syft -o json fedora:35 | grep ownership-by-file-overlap|wc
      3       6     120

Anything else we need to know?:

I believe the fundamental reason for this new behavior is that fedora:36 (and 37, perhaps others moving forward) have introduced a change where /var/lib/rpm is a softlink to /usr/lib/sysimage/rpm, whereas in prior fedora builds /var/lib/rpm was a real directory.

# docker run -t -i fedora:35 ls -ald /var/lib/rpm
drwxr-xr-x 2 root root 4096 Feb  2 12:40 /var/lib/rpm

# docker run -t -i fedora:36 ls -ald /var/lib/rpm
lrwxrwxrwx 1 root root 26 May  6 10:10 /var/lib/rpm -> ../../usr/lib/sysimage/rpm

# docker run -t -i fedora:36 ls -ald /usr/lib/sysimage/rpm
drwxr-xr-x 2 root root 4096 May  6 10:10 /usr/lib/sysimage/rpm

because of that change, the filter in relationships_by_file_ownership.go is not working properly, since the RpmDBGlob does not account for any rpmdb.sqlite location other than "**/var/lib/rpm/{Packages,Packages.db,rpmdb.sqlite}".

I'm interested in suggestions as to whether a good solution would be to add a glob to the filter list in relationships_by_file_ownership.go to account for this difference, or to adjust the RpmDBGlob itself to account for different potential locations of the rpmdb.sqlite file (or another solution :).

Environment:

• Output of syft version:

# syft version
Application:        syft
Version:            0.48.1
JsonSchemaVersion:  3.3.0
BuildDate:          2022-06-16T19:31:51Z
GitCommit:          03e37044d437294b0aac44a4e9277eb8f6c8be3f
GitDescription:     v0.48.1
Platform:           linux/amd64
GoVersion:          go1.18.3
Compiler:           gc

• OS (e.g: cat /etc/os-release or similar):

# cat /etc/os-release
NAME="CentOS Stream"
VERSION="8"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="8"
PLATFORM_ID="platform:el8"
PRETTY_NAME="CentOS Stream 8"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:8"
HOME_URL="https://centos.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux 8"
REDHAT_SUPPORT_PRODUCT_VERSION="CentOS Stream"

[nurmi]

After looking more closely at the logic and reviewing the two different uses of the RpmDBGlob, suggest that since this issue only effects the filtering of special files during creation of ownership-by-file-overlap type artifact relationship records, the better solution would be to add a new glob to catch the more general rpm metadata locations rather than adjusting the global RpmDBGlob itself, since that is used for other purposes.

 "**/rpm/{Packages,Packages.db,rpmdb.sqlite}"