Add relationships to ELF packages

.github/actions/bootstrap/action.yaml

@@ -27,7 +27,7 @@ runs:
   using: "composite"
   steps:
     # note: go mod and build is automatically cached on default with v4+
-    - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe #v4.1.0
+    - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 #v5.0.1
       if: inputs.go-version != ''
       with:
         go-version: ${{ inputs.go-version }}

.golangci.yaml

@@ -60,6 +60,7 @@ output:
   uniq-by-line: false
 run:
   timeout: 10m
+  tests: false
 
 # do not enable...
 #    - deadcode          # The owner seems to have abandoned the linter. Replaced by "unused".

cmd/syft/internal/test/integration/package_binary_elf_relationships_test.go

@@ -0,0 +1,65 @@
+package integration
+
+import (
+	"github.com/anchore/syft/syft/artifact"
+	"github.com/anchore/syft/syft/source"
+	"github.com/stretchr/testify/require"
+	"testing"
+)
+
+func TestBinaryElfRelationships(t *testing.T) {
+	// node --> ["dependency of" nodes]
+	expectedGraph := map[string][]string{
+		"glibc": {
+			"libhello_world.so",
+			"syfttestfixture",
+		},
+		"libstdc++": {
+			"syfttestfixture",
+		},
+		"libhello_world.so": {
+			"syfttestfixture",
+		},
+	}
+
+	// run the test...
+	sbom, _ := catalogFixtureImage(t, "elf-test-fixtures", source.SquashedScope)
+
+	// get a mapping of package names to their IDs
+	nameToId := map[string]artifact.ID{}
+
+	recordPkgId := func(name string) {
+		pkgs := sbom.Artifacts.Packages.PackagesByName(name)
+		require.NotEmpty(t, pkgs, "expected package %q to be present in the SBOM", name)
+		for _, p := range pkgs {
+			nameToId[p.Name] = p.ID()
+		}
+	}
+	for name, depNames := range expectedGraph {
+		recordPkgId(name)
+		for _, depName := range depNames {
+			recordPkgId(depName)
+		}
+	}
+
+	for name, expectedDepNames := range expectedGraph {
+		pkgId := nameToId[name]
+		p := sbom.Artifacts.Packages.Package(pkgId)
+		require.NotNil(t, p, "expected package %q to be present in the SBOM", name)
+
+		rels := sbom.RelationshipsForPackage(*p, artifact.DependencyOfRelationship)
+		require.NotEmpty(t, rels, "expected package %q to have relationships", name)
+
+		toIds := map[artifact.ID]struct{}{}
+		for _, rel := range rels {
+			toIds[rel.To.ID()] = struct{}{}
+		}
+
+		for _, depName := range expectedDepNames {
+			depId := nameToId[depName]
+			_, exists := toIds[depId]
+			require.True(t, exists, "expected package %q to have a relationship to %q", name, depName)
+		}
+	}
+
+}

cmd/syft/internal/test/integration/test-fixtures/elf-test-fixtures

@@ -0,0 +1 @@
+../../../../../../syft/pkg/cataloger/binary/test-fixtures/elf-test-fixtures

cmd/syft/internal/test/integration/utils_test.go

@@ -32,7 +32,6 @@ func catalogFixtureImageWithConfig(t *testing.T, fixtureImageName string, cfg *s
 	cfg.CatalogerSelection = cfg.CatalogerSelection.WithDefaults(pkgcataloging.ImageTag)
 
 	// get the fixture image tar file
-	imagetest.GetFixtureImage(t, "docker-archive", fixtureImageName)
 	tarPath := imagetest.GetFixtureImageTarPath(t, fixtureImageName)
 
 	// get the source to build an SBOM against

go.mod

@@ -84,6 +84,10 @@ require (
 	modernc.org/sqlite v1.29.9
 )
 
+require google.golang.org/genproto v0.0.0-20231106174013-bbf56f31fb17 // indirect
+
+require github.com/magiconair/properties v1.8.7
+
 require (
 	dario.cat/mergo v1.0.0 // indirect
 	github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect
@@ -153,7 +157,6 @@ require (
 	github.com/kr/text v0.2.0 // indirect
 	github.com/logrusorgru/aurora v0.0.0-20200102142835-e9ef32dff381 // indirect
 	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
-	github.com/magiconair/properties v1.8.7 // indirect
 	github.com/maruel/natural v1.1.1 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
@@ -227,7 +230,6 @@ require (
 	golang.org/x/text v0.14.0 // indirect
 	golang.org/x/tools v0.19.0 // indirect
 	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
-	google.golang.org/genproto v0.0.0-20231106174013-bbf56f31fb17 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20231120223509-83a465c0220f // indirect
 	google.golang.org/grpc v1.59.0 // indirect
 	google.golang.org/protobuf v1.33.0 // indirect

internal/relationship/binary/binary_dependencies.go

@@ -0,0 +1,171 @@
+package binary
+
+import (
+	"path"
+
+	"github.com/anchore/syft/internal/log"
+
+	"github.com/anchore/syft/internal/sbomsync"
+	"github.com/anchore/syft/syft/artifact"
+	"github.com/anchore/syft/syft/file"
+	"github.com/anchore/syft/syft/pkg"
+	"github.com/anchore/syft/syft/sbom"
+)
+
+func NewDependencyRelationships(resolver file.Resolver, accessor sbomsync.Accessor) []artifact.Relationship {
+	// TODO: consider library format (e.g. ELF, Mach-O, PE) for the meantime assume all binaries are homogeneous format
+	// start with building new package-to-package relationships for executables-to-executables
+	// each relationship must be unique, store in a map[id]map[id]relationship to avoid duplicates
+	// 1 & 2... build an index of all shared libraries and their owning packages to search against
+	index := newShareLibIndex(resolver, accessor)
+
+	// 3. craft package-to-package relationships for each binary that represent shared library dependencies
+	//note: we only care about package-to-package relationships
+	var relIndex *relationshipIndex
+	accessor.ReadFromSBOM(func(s *sbom.SBOM) {
+		relIndex = newRelationshipIndex(s.Relationships...)
+	})
+
+	return generateRelationships(resolver, accessor, index, relIndex)
+}
+
+func generateRelationships(resolver file.Resolver, accessor sbomsync.Accessor, index *sharedLibraryIndex, relIndex *relationshipIndex) []artifact.Relationship {
+	// read all existing dependencyOf relationships
+	accessor.ReadFromSBOM(func(s *sbom.SBOM) {
+		for _, r := range s.Relationships {
+			if r.Type != artifact.DependencyOfRelationship {
+				continue
+			}
+			relIndex.track(r)
+		}
+	})
+
+	// find all package-to-package relationships for shared library dependencies
+	accessor.ReadFromSBOM(func(s *sbom.SBOM) {
+		for _, parentPkg := range s.Artifacts.Packages.Sorted(pkg.BinaryPkg) {
+			for _, evidentLocation := range parentPkg.Locations.ToSlice() {
+				if evidentLocation.Annotations[pkg.EvidenceAnnotationKey] != pkg.PrimaryEvidenceAnnotation {
+					continue
+				}
+
+				// find all libraries that this package depends on
+				exec, ok := s.Artifacts.Executables[evidentLocation.Coordinates]
+				if !ok {
+					continue
+				}
+
+				populateRelationships(exec, parentPkg, resolver, relIndex, index)
+			}
+		}
+	})
+
+	return relIndex.newRelationships()
+}
+
+// PackagesToRemove returns a list of binary packages (resolved by the ELF cataloger) that should be removed from the SBOM
+// These packages are removed because they are already represented by a higher order packages in the SBOM.
+func PackagesToRemove(resolver file.Resolver, accessor sbomsync.Accessor) []artifact.ID {
+	pkgsToDelete := make([]artifact.ID, 0)
+	accessor.ReadFromSBOM(func(s *sbom.SBOM) {
+		// OTHER > ELF > Binary
+		pkgsToDelete = append(pkgsToDelete, getBinaryPackagesToDelete(resolver, s)...)
+		pkgsToDelete = append(pkgsToDelete, compareElfBinaryPackages(resolver, s)...)
+	})
+	return pkgsToDelete
+}
+
+func compareElfBinaryPackages(resolver file.Resolver, s *sbom.SBOM) []artifact.ID {
+	pkgsToDelete := make([]artifact.ID, 0)
+	for _, p := range s.Artifacts.Packages.Sorted(pkg.BinaryPkg) {
+		for _, loc := range p.Locations.ToSlice() {
+			if loc.Annotations[pkg.EvidenceAnnotationKey] != pkg.PrimaryEvidenceAnnotation {
+				continue
+			}
+			locations, err := resolver.FilesByPath(loc.RealPath)
+			if err != nil {
+				log.WithFields("error", err).Trace("unable to find path for owned file")
+				continue
+			}
+			for _, ownedL := range locations {
+				for _, pathPkg := range s.Artifacts.Packages.PackagesByPath(ownedL.RealPath) {
+					// we only care about comparing binary packages to each other (not other types)
+					if pathPkg.Type != pkg.BinaryPkg {
+						continue
+					}
+					if _, ok := pathPkg.Metadata.(pkg.ELFBinaryPackageNoteJSONPayload); !ok {
+						pkgsToDelete = append(pkgsToDelete, pathPkg.ID())
+					}
+				}
+			}
+		}
+	}
+	return pkgsToDelete
+}
+
+func getBinaryPackagesToDelete(resolver file.Resolver, s *sbom.SBOM) []artifact.ID {
+	pkgsToDelete := make([]artifact.ID, 0)
+	for p := range s.Artifacts.Packages.Enumerate() {
+		if p.Type == pkg.BinaryPkg {
+			continue
+		}
+		fileOwner, ok := p.Metadata.(pkg.FileOwner)
+		if !ok {
+			continue
+		}
+		ownedFiles := fileOwner.OwnedFiles()
+		locations, err := resolver.FilesByPath(ownedFiles...)
+		if err != nil {
+			log.WithFields("error", err).Trace("unable to find path for owned file")
+			continue
+		}
+		for _, loc := range locations {
+			for _, pathPkg := range s.Artifacts.Packages.PackagesByPath(loc.RealPath) {
+				if pathPkg.Type == pkg.BinaryPkg {
+					pkgsToDelete = append(pkgsToDelete, pathPkg.ID())
+				}
+			}
+		}
+	}
+	return pkgsToDelete
+}
+
+func populateRelationships(exec file.Executable, parentPkg pkg.Package, resolver file.Resolver, relIndex *relationshipIndex, index *sharedLibraryIndex) {
+	for _, libReference := range exec.ImportedLibraries {
+		// for each library reference, check s.Artifacts.Packages.Sorted(pkg.BinaryPkg) for a binary package that represents that library
+		// if found, create a relationship between the parent package and the library package
+		// if not found do nothing.
+		// note: we only care about package-to-package relationships
+
+		// find the basename of the library
+		libBasename := path.Base(libReference)
+		libLocations, err := resolver.FilesByGlob("**/" + libBasename)
+		if err != nil {
+			log.WithFields("lib", libReference, "error", err).Trace("unable to resolve library basename")
+			continue
+		}
+
+		for _, loc := range libLocations {
+			// are you in our index?
+			realBaseName := path.Base(loc.RealPath)
+			pkgCollection := index.owningLibraryPackage(realBaseName)
+			if pkgCollection.PackageCount() < 1 {
+				relIndex.add(
+					artifact.Relationship{
+						From: loc.Coordinates,
+						To:   parentPkg,
+						Type: artifact.DependencyOfRelationship,
+					},
+				)
+			}
+			for _, p := range pkgCollection.Sorted() {
+				relIndex.add(
+					artifact.Relationship{
+						From: p,
+						To:   parentPkg,
+						Type: artifact.DependencyOfRelationship,
+					},
+				)
+			}
+		}
+	}
+}