-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
remove other relationship from syft generated rpm sboms #35
remove other relationship from syft generated rpm sboms #35
Conversation
Might this end up with packages not referenced by a relationship? |
78d88fc
to
545b1f9
Compare
I didn't notice earlier but there are 2 relationship types added by Syft. An 'OTHER' relationship which is removed by this PR, and the expected 'CONTAINS' one. |
ea578ef
to
ef61bbf
Compare
The change to the openshift-pipelines-client is a bit hard to check so I visualized it with spdxshow as: The internal mirror repo is for some reason shown three times, but the individual Go binaries are only related to one of them. Is this just an issue with the visualizer? |
I pushed an update to spdxshow to make this clearer. What's happening is that each source archive has the same download URL -- I don't think that's correct. It's also using unquoted '#' in the download_url qualifier for the purl, which I also think isn't right. The |
ab8b775
to
de3a070
Compare
I pushed another update which follows the openssl the midstream example previously included to include the midstream sources for openshift-pipelines-client as well. I wasn't able to visualize it with spdx-show because of this issue with graph-viz:
|
For the spdxshow issue: https://bugzilla.redhat.com/show_bug.cgi?id=458661 Workaround:
|
2e57d3b
to
12b705c
Compare
12b705c
to
f454aca
Compare
By default Syft generates SPDX Documents where embedded dependencies discovered in a go.mod file have an extra set of 'OTHER' relationships added, in addition to the expected 'CONTAINS' relationship. Let's reduce the number of relationships in the SBOM by removing the 'OTHER' ones.
This also changes the URL used by SourceN packages to use the internal git location if a remote one is not found.
Lastly it add CPE values to RPM release manifest.