From fc836384a93fad390131a38b5b62e60e42312bee Mon Sep 17 00:00:00 2001 From: Will Murphy Date: Fri, 18 Aug 2023 11:46:08 -0400 Subject: [PATCH] fix: Only remove packages by binary overlap Previously, ownership by file overlap would remove packages of the same type, or packages with an empty type. Instead, only remove packages by overlap if the owned package is binary, since the installation source of the binary will have better version info than the binary itself. Signed-off-by: Will Murphy --- grype/pkg/package.go | 4 ++-- grype/pkg/package_test.go | 18 ++++++++++++++++-- 2 files changed, 18 insertions(+), 4 deletions(-) diff --git a/grype/pkg/package.go b/grype/pkg/package.go index 7ee1253c7b9..b9fd50e0a39 100644 --- a/grype/pkg/package.go +++ b/grype/pkg/package.go @@ -135,8 +135,8 @@ func excludePackage(p pkg.Package, parent pkg.Package) bool { return false } - // filter out only binary pkg, empty types, or equal types - if p.Type != pkg.BinaryPkg && p.Type != "" && p.Type != parent.Type { + // filter out only binary pkg + if p.Type != pkg.BinaryPkg { return false } diff --git a/grype/pkg/package_test.go b/grype/pkg/package_test.go index ebcb68eee13..3eddc785d41 100644 --- a/grype/pkg/package_test.go +++ b/grype/pkg/package_test.go @@ -676,11 +676,25 @@ func Test_RemoveBinaryPackagesByOverlap(t *testing.T) { []string{"apk:node@19.2-r1 -> binary:node@19.2"}), expectedPackages: []string{"apk:go@1.18", "apk:node@19.2-r1"}, }, + { + name: "does not exclude if OS package owns OS package", + sbom: catalogWithOverlaps( + []string{"rpm:perl@5.3-r1", "rpm:libperl@5.3"}, + []string{"rpm:perl@5.3-r1 -> rpm:libperl@5.3"}), + expectedPackages: []string{"rpm:libperl@5.3", "rpm:perl@5.3-r1"}, + }, + { + name: "does not exclude if owning package is non-OS", + sbom: catalogWithOverlaps( + []string{"python:urllib3@1.2.3", "python:otherlib@1.2.3"}, + []string{"python:urllib3@1.2.3 -> python:otherlib@1.2.3"}), + expectedPackages: []string{"python:otherlib@1.2.3", "python:urllib3@1.2.3"}, + }, { name: "excludes multiple package by overlap", sbom: catalogWithOverlaps( - []string{"apk:go@1.18", "apk:node@19.2-r1", "binary:node@19.2", "apk:python@3.9-r9", ":python@3.9"}, - []string{"apk:node@19.2-r1 -> binary:node@19.2", "apk:python@3.9-r9 -> :python@3.9"}), + []string{"apk:go@1.18", "apk:node@19.2-r1", "binary:node@19.2", "apk:python@3.9-r9", "binary:python@3.9"}, + []string{"apk:node@19.2-r1 -> binary:node@19.2", "apk:python@3.9-r9 -> binary:python@3.9"}), expectedPackages: []string{"apk:go@1.18", "apk:node@19.2-r1", "apk:python@3.9-r9"}, }, {