From b5fc67d3f0c643cd49effdc2f2ceae14da3aedb3 Mon Sep 17 00:00:00 2001 From: Prabhu Subramanian Date: Thu, 14 Nov 2024 11:37:07 +0000 Subject: [PATCH] Where the sbom is describing a container, use the tagging information from obom Signed-off-by: Prabhu Subramanian --- data/component-tags.json | 42 +++++++++++++++------ lib/managers/docker.js | 1 + lib/stages/postgen/annotator.js | 28 ++++++++++---- lib/stages/postgen/postgen.js | 2 +- types/lib/managers/docker.d.ts.map | 2 +- types/lib/stages/postgen/annotator.d.ts | 4 +- types/lib/stages/postgen/annotator.d.ts.map | 2 +- 7 files changed, 57 insertions(+), 24 deletions(-) diff --git a/data/component-tags.json b/data/component-tags.json index 8a10b9bb4..3f3e548c6 100644 --- a/data/component-tags.json +++ b/data/component-tags.json @@ -231,8 +231,10 @@ }, "name": { "sbom": [ - { "test": ["(junit|xmlunit|testng|chai|mocha|jest)"] }, - { "security": ["(boringssl|openssl|libressl|gnutls|jose|keyutils)"] }, + { "test": ["(junit|xmlunit|testng|chai|mocha|jest|test4j)"] }, + { + "security": ["(boringssl|openssl|libressl|libssl|gnutls|jose|keyutils)"] + }, { "native": ["(ffi|native)"] }, { "parse": ["(parser)"] }, { "transform": ["(transformer)"] } @@ -241,7 +243,7 @@ { "devel": [ "-(dev|devel|headers|sdk|libs|extension|headers+x86|headers+x64|headers+arm64)$", - "^(git)-", + "^(git)[-]?", "^(sdk|windows+sdk)" ] }, @@ -253,7 +255,7 @@ { "kernel": ["^(linux|kernel|os-image)"] }, { "security": [ - "(selinux|apparmor|security|boringssl|openssl|libressl|gnutls|jose|keyutils|passwd)" + "(selinux|apparmor|security|boringssl|openssl|libressl|gnutls|jose|keyutils|passwd|libssl|libaudit|gcrypt)" ] }, { @@ -262,29 +264,42 @@ ] }, { - "build": ["(cpp|fortran|gcc|make|meson|bazel|maven|gradle|sbt|ant|gdb)"] + "build": [ + "(cpp|fortran|gcc|make|meson|bazel|maven|gradle|sbt|ant|gdb|boost|compiler|kotlin|cargo|rustc|llvm)" + ] }, { "network": [ "(tailscale|wireguard|openvpn|dns|cockpit|cups|dhcp|network|iproute|iptables|mosh|netavark|openssh|rsync|tcpdump)" ] }, - { "webserver": ["(httpd|http2)"] }, - { "crypto": ["(crypt|gpg|keys|certificates|gnupg|certifi)"] }, + { "webserver": ["(httpd|http2|tomcat|jboss)"] }, + { + "crypto": [ + "(crypt|gpg|keys|certificates|gnupg|certifi|pubkey|keyutils|nss)" + ] + }, { "repository": ["(-repos|-release|ostree|appstream)"] }, - { "shell": ["(bash|zsh|csh|fish)"] }, + { "shell": ["(bash|zsh|csh|fish|binsh)"] }, { "bluetooth": ["(bluez|bluetooth)"] }, { "sound": ["(alsa|pulseaudio|wireplumber|flac|codecs|ldac|sound)"] }, - { "compression": ["(brotli|xz-utils|zstd|lz4)", "(tar|zip|webp)$"] }, + { + "compression": [ + "(brotli|xz-utils|zstd|lz4|zlib|bz2|lzma5)", + "(tar|zip|webp)$" + ] + }, { "runtime": [ - "(perl|lua|php|python|ruby|dotnet|java|swift|runtime|glibc|musl|wasm|.net|asp.net|node.js|node)" + "(perl|lua|php|python|ruby|dotnet|java|swift|runtime|glibc|musl|wasm|.net|asp.net|node.js|node|groovy)" ] }, { "editor": ["(vim|emacs|nano|hexedit)"] }, { "xml": ["(xml|expat)"] }, { "boot": ["(grub|systemd-boot|syslinux)"] }, - { "gui": ["(wayland|xorg|X11|mesa|vulkan|tk|wkhtmltox|electron)"] }, + { + "gui": ["(wayland|xorg|X11|mesa|vulkan|tk|wkhtmltox|electron|Xrender)"] + }, { "package": [ "(rpm|dnf|yum|apt|zypper|apk|conda)$", @@ -298,7 +313,10 @@ "(microsoft+edge|microsoft+edge+webview2|microsoft+html)" ] }, - { "chat": ["(webex|teams|slack|discord|vesktop|matrix|signal|whatsapp)"] } + { + "chat": ["(webex|teams|slack|discord|vesktop|matrix|signal|whatsapp)"] + }, + { "logging": ["(log4j|logging|slf4j)"] } ] } } diff --git a/lib/managers/docker.js b/lib/managers/docker.js index 08de14343..4b1a53267 100644 --- a/lib/managers/docker.js +++ b/lib/managers/docker.js @@ -777,6 +777,7 @@ export const extractTar = async (fullImageName, dir) => { path.includes("usr/share/zoneinfo/") || path.includes("usr/share/doc/") || path.includes("usr/share/i18n/") || + path.includes("var/lib/ca-certificates") || basename(path).startsWith(".") || path.includes("usr/share/licenses/device-mapper-libs") || [ diff --git a/lib/stages/postgen/annotator.js b/lib/stages/postgen/annotator.js index 15aaac908..158cf09bd 100644 --- a/lib/stages/postgen/annotator.js +++ b/lib/stages/postgen/annotator.js @@ -253,28 +253,40 @@ export function textualMetadata(bomJson) { * * @param {Object} component CycloneDX component * @param {String} bomType BOM type + * @param {String} parentComponentType Parent component type + * * @returns {Array | undefined} Array of string tags */ -export function extractTags(component, bomType = "all") { +export function extractTags( + component, + bomType = "all", + parentComponentType = "application", +) { if ( !component || (!component.description && !component.properties && !component.name) ) { return undefined; } + bomType = bomType?.toLowerCase(); const tags = new Set(); const desc = component?.description?.toLowerCase(); const compProps = component.properties || []; // Collect both the BOM specific tags and all tags - const compNameTags = (componentTags.name[bomType.toLowerCase()] || []).concat( + let compNameTags = (componentTags.name[bomType] || []).concat( componentTags.name.all || [], ); - const compDescTags = ( - componentTags.description[bomType.toLowerCase()] || [] - ).concat(componentTags.description.all || []); - const compPropsTags = ( - componentTags.properties[bomType.toLowerCase()] || [] - ).concat(componentTags.properties.all || []); + // For SBOMs with a container component as parent, utilize the tags + // from OBOM + if (bomType === "sbom" && parentComponentType === "container") { + compNameTags = compNameTags.concat(componentTags.name.obom || []); + } + const compDescTags = (componentTags.description[bomType] || []).concat( + componentTags.description.all || [], + ); + const compPropsTags = (componentTags.properties[bomType] || []).concat( + componentTags.properties.all || [], + ); if (component?.name) { // {"devel": ["/-(dev|devel|headers)$/"]} for (const anameTagObject of compNameTags) { diff --git a/lib/stages/postgen/postgen.js b/lib/stages/postgen/postgen.js index 7c6522ea2..936d416a4 100644 --- a/lib/stages/postgen/postgen.js +++ b/lib/stages/postgen/postgen.js @@ -355,7 +355,7 @@ export function annotate(bomJson, options) { } // Tag the components for (const comp of bomJson.components) { - const tags = extractTags(comp, bomType); + const tags = extractTags(comp, bomType, bomJson.metadata?.component?.type); if (tags?.length) { comp.tags = tags; } diff --git a/types/lib/managers/docker.d.ts.map b/types/lib/managers/docker.d.ts.map index 18dc35239..1db2a40e6 100644 --- a/types/lib/managers/docker.d.ts.map +++ b/types/lib/managers/docker.d.ts.map @@ -1 +1 @@ -{"version":3,"file":"docker.d.ts","sourceRoot":"","sources":["../../../lib/managers/docker.js"],"names":[],"mappings":"AAoDA;;GAEG;AACH,4CA6CC;AAxED,4BAA6C;AAC7C,8CAA+C;AAkFxC,iCAHI,MAAM,WACN,MAAM,iDAehB;AAqBM,6DAmBN;AAgLM,4EAsGN;AAEM,oFAwBN;AAUM;;;;;;;;EAwEN;AAsBM,2DA6KN;AAEM,2EA2FN;AAMM;;;;;;;;;;;;;GAqDN;AAEM;;;;;;;GAqGN;AAMM,8DAqIN;AAKM,4EAmGN;AAEM,+EAMN;AAEM,4EAyCN;AAEM,iFA0BN"} \ No newline at end of file +{"version":3,"file":"docker.d.ts","sourceRoot":"","sources":["../../../lib/managers/docker.js"],"names":[],"mappings":"AAoDA;;GAEG;AACH,4CA6CC;AAxED,4BAA6C;AAC7C,8CAA+C;AAkFxC,iCAHI,MAAM,WACN,MAAM,iDAehB;AAqBM,6DAmBN;AAgLM,4EAsGN;AAEM,oFAwBN;AAUM;;;;;;;;EAwEN;AAsBM,2DA6KN;AAEM,2EA4FN;AAMM;;;;;;;;;;;;;GAqDN;AAEM;;;;;;;GAqGN;AAMM,8DAqIN;AAKM,4EAmGN;AAEM,+EAMN;AAEM,4EAyCN;AAEM,iFA0BN"} \ No newline at end of file diff --git a/types/lib/stages/postgen/annotator.d.ts b/types/lib/stages/postgen/annotator.d.ts index 0d5f72ac9..2f7b31db8 100644 --- a/types/lib/stages/postgen/annotator.d.ts +++ b/types/lib/stages/postgen/annotator.d.ts @@ -19,7 +19,9 @@ export function textualMetadata(bomJson: any): string | undefined; * * @param {Object} component CycloneDX component * @param {String} bomType BOM type + * @param {String} parentComponentType Parent component type + * * @returns {Array | undefined} Array of string tags */ -export function extractTags(component: any, bomType?: string): any[] | undefined; +export function extractTags(component: any, bomType?: string, parentComponentType?: string): any[] | undefined; //# sourceMappingURL=annotator.d.ts.map \ No newline at end of file diff --git a/types/lib/stages/postgen/annotator.d.ts.map b/types/lib/stages/postgen/annotator.d.ts.map index 7fb7868cc..7792d3235 100644 --- a/types/lib/stages/postgen/annotator.d.ts.map +++ b/types/lib/stages/postgen/annotator.d.ts.map @@ -1 +1 @@ -{"version":3,"file":"annotator.d.ts","sourceRoot":"","sources":["../../../../lib/stages/postgen/annotator.js"],"names":[],"mappings":"AA0CA;;;;;;GAMG;AACH,kDAkCC;AAED;;;;;;GAMG;AACH,+CAFa,SAAS,SAAS,CA8J9B;AAED;;;;;;GAMG;AACH,+DAFa,QAAQ,SAAS,CAiE7B"} \ No newline at end of file +{"version":3,"file":"annotator.d.ts","sourceRoot":"","sources":["../../../../lib/stages/postgen/annotator.js"],"names":[],"mappings":"AA0CA;;;;;;GAMG;AACH,kDAkCC;AAED;;;;;;GAMG;AACH,+CAFa,SAAS,SAAS,CA8J9B;AAED;;;;;;;;GAQG;AACH,6FAFa,QAAQ,SAAS,CA2E7B"} \ No newline at end of file