Skip to content

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

referenceLocator purl does not include upstream information about system packages #3942

Closed
beltran-rubo opened this issue Mar 31, 2023 · 5 comments
Assignees
Labels
kind/feature Categorizes issue or PR as related to a new feature. priority/backlog Higher priority than priority/awaiting-more-evidence. scan/sbom Issues relating to SBOM

Comments

@beltran-rubo
Copy link

beltran-rubo commented Mar 31, 2023

Description

The purl information does not include the upstream package that a specific OS package is coming from. For instance:

$ trivy image --format spdx-json debian:latest > debian.json

The package libssl1.1 includes this information "referenceLocator": "pkg:deb/debian/[email protected]+deb11u4?distro=debian-11.6". The issue of not including the upstream information from the package into the purl is there is no way to detect CVEs based on that information as those ones are linked to the upstream package.

The correct information should be "referenceLocator": "pkg:deb/debian/[email protected]+deb11u4?upstream=openssl&distro=debian-11.6".

Into the CycloneDX sBOM it already exists that metadata but not as part of the purl.

{
   "name": "aquasecurity:trivy:SrcName",
   "value": "openssl"
},

What did you expect to happen?

Include the upstream information from the OS packages metadata as part of the sBOM. It does not appear into the SPDX or CycloneDX purl.

What happened instead?

No upstream information as part of the purl.

Output of trivy -v:

Version: 0.38.3
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-03-31 06:17:32.691408303 +0000 UTC
  NextUpdate: 2023-03-31 12:17:32.691407903 +0000 UTC
  DownloadedAt: 2023-03-31 06:53:06.842877 +0000 UTC
@beltran-rubo beltran-rubo added the kind/bug Categorizes issue or PR as related to a bug. label Mar 31, 2023
@DmitriyLewen
Copy link
Contributor

Hello @beltran-rubo
Thanks for your report!

We created #3971 to add upstream to purl.

Regards, Dmitriy

@knqyf263 knqyf263 added this to the v0.39.1 milestone Apr 3, 2023
@knqyf263 knqyf263 added the priority/backlog Higher priority than priority/awaiting-more-evidence. label Apr 3, 2023
@knqyf263
Copy link
Collaborator

knqyf263 commented Apr 4, 2023

@beltran-rubo Thanks for raising the issue. I didn't find the specification. Could you share a link that we should reference?
https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst#deb
https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst#rpm

@knqyf263 knqyf263 added the scan/sbom Issues relating to SBOM label Apr 4, 2023
@beltran-rubo
Copy link
Author

That is right, still not there but there are other tools following that convention. See #3485 that Syft already includes that information as part of the purl. There is also an interesting discussion why adding upstream is needed as part of the purl anchore/syft#1700 (comment). The key part is the CVEs for the Linux distributions tend to be written against the source package and not downstream packages. That solution looks simple to be adopted it and does not require changes to the current CycloneDX spec.

@knqyf263
Copy link
Collaborator

knqyf263 commented Apr 5, 2023

I'm not sure upstream is the best solution here. We include the source information in custom properties of SPDX and CycloneDX. It seemes to be Syft-specific design yet. Syft can follow our approach. We should discuss and define it in PURL.

@knqyf263 knqyf263 added kind/feature Categorizes issue or PR as related to a new feature. and removed kind/bug Categorizes issue or PR as related to a bug. labels Apr 5, 2023
@beltran-rubo
Copy link
Author

In the case of SPDX the source information is a plain string that would be difficult to parse it to get the package name, e.g.
"sourceInfo": "built package from: nghttp2 1.43.0-5.el9" when the useful part would be nghttp2-1.43.0-5.el9.src.rpm to get the vulnerabilities associated to the source package.

@knqyf263 knqyf263 removed this from the v0.40.0 milestone Apr 9, 2023
@aquasecurity aquasecurity locked and limited conversation to collaborators May 11, 2023
@knqyf263 knqyf263 converted this issue into discussion #4319 May 11, 2023

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

Labels
kind/feature Categorizes issue or PR as related to a new feature. priority/backlog Higher priority than priority/awaiting-more-evidence. scan/sbom Issues relating to SBOM
Projects
Status: No status
Development

Successfully merging a pull request may close this issue.

3 participants