Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Expand deb cataloger to include opkg #1985

Merged
merged 3 commits into from
Aug 3, 2023
Merged

Expand deb cataloger to include opkg #1985

merged 3 commits into from
Aug 3, 2023

Conversation

johnDeSilencio
Copy link
Contributor

@johnDeSilencio johnDeSilencio commented Aug 1, 2023

What?

This PR expands on the Debian cataloger so that it also catalogs packages installed by opkg.

Why?

#1847 documents the reasons that @spiffcs, myself, and others may have for wanting to be able to catalog packages installed with opkg using syft. In short, by supporting opkg, syft will support those creating SBOMs for software containerized with OpenWrt, those working in the Yocto ecosystem, and broadens support for generating SBOMs for embedded systems in general.

How?

Because opkg strives to conform "to a subset of debian’s policy manual regarding control files", opkg package metadata is actually deb package metadata and can be parsed with the same cataloger - albeit from a different location.

The image openwrt/rootfs stores opkg package metadata under the directory /var/lib/opkg/info/*. The company I work for uses tools from the Yocto ecosystem, not OpenWRT, and we have an internal image that stores the metadata under /usr/lib/opkg/info/*. To generalize, I made the globs look for anything under a directory like **/lib/opkg.

Before putting up this PR, I discussed the possibility of creating a dedicated cataloger for opkg with @kzantow over Slack. Not only will this not work without an upstream PR to package-URL to define a new type for opkg, but it doesn't make any sense. The deb PURL type is for debian and debian-derived packages; opkg packages are debian-derived. Making a separate cataloger for opkg is not necessary since opkg packages can and should be cataloged as deb packages.

Testing?

  1. Clone the repo with git clone https://github.com/johnDeSilencio/syft and navigate to the new directory with cd syft/
  2. Checkout the most recent commit from feature/expand-deb-cataloger-to-include-opkg
  3. Run make bootstrap
  4. Run make snapshot
  5. Run syft openwrt/rootfs. You should see something like the following output:
 ✔ Loaded image
 ✔ Parsed image
 ✔ Cataloged packages      [1 packages]
NAME     VERSION  TYPE
busybox  1.34.9    binary
  1. Run docker run -it anchore/syft:latest openwrt/rootfs. You should see something like the following output:
 ✔ Parsed image                                                                                     sha256:df1f661107dca36745dd2bd9f36e1a760f7c90ae7b88270795d52c8b6b4697fe
 ✔ Cataloged packages              [197 packages]
NAME                        VERSION                                      TYPE
base-files                  1233-r03459-4c5d910ef1                       deb
busybox                     1.34.9                                       binary
busybox                     1.31.2-2                                     deb
ca-bundle                   20231214-1                                   deb
// ...
urngd                       2023-01-01-7aefb47b-1                        deb
usign                       2020-08-04-a1f326562e-1                      deb

Nicholas R. Smith added 3 commits August 1, 2023 12:33
opkg uses the same or nearly the same metadata and structure as Debian:

**/lib/opkg/status lists status information for all packages
**/lib/opkg/info/opkg.conffiles is a list of configuration files
**/lib/opkg/info/*.list contains files and directories installed by the package
**/lib/opkg/info/*.preinst are scripts to run before installation
**/lib/opkg/info/*.postinst are scripts to run after installation
**/lib/opkg/info/*.postrm are scripts to run after package removal
**/lib/opkg/info/*.control provides package metadata

Signed-off-by: Nicholas R. Smith <[email protected]>
Signed-off-by: Nicholas R. Smith <[email protected]>
@spiffcs
Copy link
Contributor

spiffcs commented Aug 3, 2023

@johnDeSilencio thanks so much for the quick contribution - this is great and we'll be sure to get it tried out for the next release =)

@johnDeSilencio
Copy link
Contributor Author

@johnDeSilencio thanks so much for the quick contribution - this is great and we'll be sure to get it tried out for the next release =)

You're welcome! Thank you and @kzantow for being responsive and helping me work out the best way to go about creating this PR. Seems like you have a great team at Anchore 😃

Also, heads up that I posted a follow-up PR. I forgot to run syft on the private image used by company, and I noticed there were warnings when I did. This PR removes those warnings.

@kzantow kzantow added the enhancement New feature or request label Aug 14, 2023
GijsCalis pushed a commit to GijsCalis/syft that referenced this pull request Feb 19, 2024
* Add opkg info directory and status file to deb cataloger

opkg uses the same or nearly the same metadata and structure as Debian:
**/lib/opkg/status lists status information for all packages
**/lib/opkg/info/opkg.conffiles is a list of configuration files
**/lib/opkg/info/*.list contains files and directories installed by the package
**/lib/opkg/info/*.preinst are scripts to run before installation
**/lib/opkg/info/*.postinst are scripts to run after installation
**/lib/opkg/info/*.postrm are scripts to run after package removal
**/lib/opkg/info/*.control provides package metadata

Signed-off-by: Nicholas R. Smith <[email protected]>

---------

Signed-off-by: Nicholas R. Smith <[email protected]>
Co-authored-by: Nicholas R. Smith <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants