feat: new intersection approach

Signed-off-by: Christopher Phillips <[email protected]>
anchore · May 8, 2024 · 6bf7ca2 · 6bf7ca2
1 parent d0b710b
commit 6bf7ca2
Show file tree

Hide file tree

Showing 3 changed files with 76 additions and 1 deletion.
diff --git a/internal/relationship/binary/binary_dependencies.go b/internal/relationship/binary/binary_dependencies.go
@@ -63,6 +63,45 @@ func generateRelationships(resolver file.Resolver, accessor sbomsync.Accessor, i
 	return relIndex.newRelationships()
 }
 
+// PackagesToRemove returns a list of binary packages (resolved by the ELF cataloger) that should be removed from the SBOM
+// These packages are removed because they are already represented by a higher order packages in the SBOM.
+// TODO: this is removing packages incorrectly, it should be removing the binary package if it is a dependency of another package
+func PackagesToRemove(resolver file.Resolver, accessor sbomsync.Accessor) []artifact.ID {
+	elfPackageToDelete := []artifact.ID{}
+	elfExecutables := []file.Executable{}
+	accessor.ReadFromSBOM(func(s *sbom.SBOM) {
+		for _, e := range s.Artifacts.Executables {
+			if e.Format == file.ELF {
+				elfExecutables = append(elfExecutables, e)
+			}
+		}
+	})
+
+	sharedLibraryIndex := newShareLibIndex(resolver, accessor)
+	for _, e := range elfExecutables {
+		for _, lib := range e.ImportedLibraries {
+			// find the basename of the library
+			libBasename := path.Base(lib)
+			sharedCoord := sharedLibraryIndex.owningLibraryLocations(libBasename)
+
+			for _, loc := range sharedCoord.ToSlice() {
+				// are you in our index?
+				realBaseName := path.Base(loc.RealPath)
+				pkgCollection := sharedLibraryIndex.owningLibraryPackage(realBaseName)
+				// no overlap continue
+				if pkgCollection.PackageCount() > 1 {
+					for _, p := range pkgCollection.Sorted() {
+						if p.Type == pkg.BinaryPkg {
+							elfPackageToDelete = append(elfPackageToDelete, p.ID())
+						}
+					}
+				}
+			}
+		}
+	}
+	return elfPackageToDelete
+}
+
 func populateRelationships(exec file.Executable, parentPkg pkg.Package, resolver file.Resolver, relIndex *relationshipIndex, index *sharedLibraryIndex) {
 	for _, libReference := range exec.ImportedLibraries {
 		// for each library reference, check s.Artifacts.Packages.Sorted(pkg.BinaryPkg) for a binary package that represents that library

diff --git a/internal/relationship/finalize.go b/internal/relationship/finalize.go
@@ -12,7 +12,6 @@ import (
 func Finalize(resolver file.Resolver, builder sbomsync.Builder, cfg cataloging.RelationshipsConfig, src artifact.Identifiable) {
 	accessor := builder.(sbomsync.Accessor)
 
-	// remove ELF packages that are already represented by a non-ELF package
 	// TODO (also, how should we update the TUI to reflect that we removed packages?)
 
 	// add relationships showing packages that are evident by a file which is owned by another package (package-to-package)
@@ -45,4 +44,7 @@ func Finalize(resolver file.Resolver, builder sbomsync.Builder, cfg cataloging.R
 		evidentByRelationships = evidentBy(s.Artifacts.Packages)
 	})
 	builder.AddRelationships(evidentByRelationships...)
+
+	// remove ELF packages that are already represented by a non-ELF package
+	builder.DeletePackages(binary.PackagesToRemove(resolver, accessor)...)
 }
diff --git a/internal/sbomsync/builder.go b/internal/sbomsync/builder.go
@@ -20,6 +20,8 @@ type Builder interface {
 
 	AddPackages(...pkg.Package)
 
+	DeletePackages(...artifact.ID)
+
 	// edges
 
 	AddRelationships(...artifact.Relationship)
@@ -78,6 +80,38 @@ func (b sbomBuilder) AddPackages(p ...pkg.Package) {
 	b.onWriteEvent()
 }
 
+func (b sbomBuilder) DeletePackages(ids ...artifact.ID) {
+	b.lock.Lock()
+	defer b.lock.Unlock()
+
+	toDelete := make(map[artifact.ID]struct{})
+	for _, id := range ids {
+		b.sbom.Artifacts.Packages.Delete(id)
+		toDelete[id] = struct{}{}
+	}
+
+	// remove any relationships that reference the deleted packages
+	var relationships []artifact.Relationship
+	for _, rel := range b.sbom.Relationships {
+		fromID := false
+		toID := false
+		if _, ok := toDelete[rel.From.ID()]; ok {
+			fromID = true
+		}
+		if _, ok := toDelete[rel.To.ID()]; ok {
+			toID = true
+		}
+		// skip relationships that reference the deleted packages
+		if fromID || toID {
+			continue
+		}
+		relationships = append(relationships, rel)
+	}
+
+	b.sbom.Relationships = relationships
+	b.onWriteEvent()
+}
+
 func (b sbomBuilder) AddRelationships(relationship ...artifact.Relationship) {
 	b.lock.Lock()
 	defer b.lock.Unlock()