Skip to content

Commit 76f262c

Browse files
lazkalazka
committed
sbom: also stop grype from matching random ecosystems when no CPE/PURL is present
there are too many false positives
1 parent 151044c commit 76f262c

File tree

2 files changed

+15
-4
lines changed

2 files changed

+15
-4
lines changed

msys2_devtools/sbom.py

Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -62,12 +62,14 @@ def generate_components(value) -> list[Component]:
6262
purl = PackageURL(**{**purl.to_dict(), "version": pkgver})
6363
purls.append(purl)
6464

65+
# https://github.com/anchore/grype/issues/2618
66+
grype_stop_matching_by_name = Property(name="syft:package:type", value="binary")
67+
6568
for cpe in cpes:
6669
name, version = parse_cpe(cpe)[2:4]
6770
assert isinstance(version, str) and isinstance(name, str)
68-
# https://github.com/anchore/grype/issues/2618
69-
cpe_properties = properties + [Property(name="syft:package:type", value="binary")]
70-
component = Component(name=name, version=version, cpe=cpe, properties=cpe_properties)
71+
component = Component(
72+
name=name, version=version, cpe=cpe, properties=properties + [grype_stop_matching_by_name])
7173
components.append(component)
7274

7375
for purl in purls:
@@ -79,7 +81,8 @@ def generate_components(value) -> list[Component]:
7981
name = pkgbase.split("-", 2)[-1]
8082
else:
8183
name = pkgbase
82-
component = Component(name=name, version=pkgver, properties=properties)
84+
component = Component(
85+
name=name, version=pkgver, properties=properties + [grype_stop_matching_by_name])
8386
components.append(component)
8487

8588
return components

tests/test_sbom.py

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -73,6 +73,14 @@ def test_grype_workaround():
7373
else:
7474
assert False, "syft:package:type property not found"
7575

76+
components = generate_components({"srcinfo": srcinfo, "extra": {"references": []}})
77+
for property in components[0].properties:
78+
if property.name == "syft:package:type":
79+
assert property.value == "binary"
80+
break
81+
else:
82+
assert False, "syft:package:type property not found"
83+
7684
components = generate_components({"srcinfo": srcinfo, "extra": {"references": [
7785
"purl: pkg:pypi/django"
7886
]}})

0 commit comments

Comments
 (0)