Evidence in location

TimBrown1611 · December 10, 2024, 12:44pm

Hello!
when I scan and get an SBOM, do I expect at least one of the locations of a given package will have an evidence of “primary”?

Thanks!

willmurphy · December 12, 2024, 1:03pm

@TimBrown1611 I believe so, but I’m not aware of any testing that enforces this fact. What inference are you trying to make from this?

You can see catalogers making packages marked with primary evidence locations, for example, here:

github.com

anchore/syft/blob/13c687690690f3a66553ea34a40902db1399ab0d/syft/pkg/cataloger/debian/package.go#L29


      
          const (
          	md5sumsExt   = ".md5sums"
          	conffilesExt = ".conffiles"
          	docsPath     = "/usr/share/doc"
          )
          
          func newDpkgPackage(d pkg.DpkgDBEntry, dbLocation file.Location, resolver file.Resolver, release *linux.Release, evidence ...file.Location) pkg.Package {
          	// TODO: separate pr to license refactor, but explore extracting dpkg-specific license parsing into a separate function
          	licenses := make([]pkg.License, 0)
          
          	locations := file.NewLocationSet(dbLocation.WithAnnotation(pkg.EvidenceAnnotationKey, pkg.PrimaryEvidenceAnnotation))
          	locations.Add(evidence...)
          
          	p := pkg.Package{
          		Name:      d.Package,
          		Version:   d.Version,
          		Licenses:  pkg.NewLicenseSet(licenses...),
          		Locations: locations,
          		PURL:      packageURL(d, release),
          		Type:      pkg.DebPkg,
          		Metadata:  d,

Why do you ask? I feel like I could give a better answer with more context.

TimBrown1611 · December 12, 2024, 1:17pm

I am working on this PR - Squashed all layers by tomersein · Pull Request #3138 · anchore/syft · GitHub
I’m trying to build a cleaner to packages which doesn’t exist in the squash mode by looking at annotations
like here - Squashed all layers by tomersein · Pull Request #3138 · anchore/syft · GitHub

Topic		Replies	Views
Question about relationship and the impact on grype results Grype	4	33	November 27, 2024
In syft generated sbom we see license as links https://www.apache.org/licenses/LICENSE-2.0.txt General	7	129	September 3, 2024
Revisiting ownership-by-file-overlap relationships General	1	26	November 26, 2024
Squashed all layers resolver Syft	2	36	September 3, 2024
Exclude-binary-overlap-by-ownership flag is not working General discuss	13	45	December 10, 2024

Evidence in location

Related topics