Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add compliance policy for empty name and version #3257

Merged
merged 3 commits into from
Sep 20, 2024
Merged

Conversation

wagoodman
Copy link
Contributor

@wagoodman wagoodman commented Sep 19, 2024

Adds a new compliance configuration to handle what to do when there is a missing name or version:

compliance:
  # action to take when a package is missing a name (env: SYFT_COMPLIANCE_MISSING_NAME)
  missing-name: 'drop'
  
  # action to take when a package is missing a version (env: SYFT_COMPLIANCE_MISSING_VERSION)
  missing-version: 'stub'

Above are the default values, but the possible values a user can put in are:

  • keep, add a trace log but the non-compliant package is still added to the SBOM
  • drop, exclude the package from results, add a debug log
  • stub, replace the non-compliant empty value with UNKNOWN

Open questions:

  1. configuration-wise should this land within the pkgcataloging package? (instead of the cataloging package?)

Closes #2132
Closes #2652
Closes #2038
Closes #2039

@kzantow
Copy link
Contributor

kzantow commented Sep 19, 2024

One observation: once the known-unknowns lands perhaps some of these options would go away / change? E.g. a user could surface something in the files section with something like:

/package.json
  unknowns: dropped package due to missing name

@wagoodman

This comment was marked as outdated.

Signed-off-by: Alex Goodman <[email protected]>
@wagoodman wagoodman marked this pull request as ready for review September 19, 2024 20:54
@spiffcs
Copy link
Contributor

spiffcs commented Sep 20, 2024

I think the config placement and package organization is correct here from and API standpoint so 🟢 from me. Was there any other discussion you wanted @wagoodman on this PR?

@wagoodman wagoodman added the enhancement New feature or request label Sep 20, 2024
@wagoodman wagoodman merged commit 963ea59 into main Sep 20, 2024
12 checks passed
@wagoodman wagoodman deleted the empty-name-version branch September 20, 2024 16:50
luhring added a commit to wolfi-dev/wolfictl that referenced this pull request Sep 25, 2024
Looks like just "UNKNOWN" being added to existing packages, likely from anchore/syft#3257.

Signed-off-by: Dan Luhring <[email protected]>
spiffcs added a commit that referenced this pull request Oct 2, 2024
* main: (343 commits)
  feat: update haproxy classifier (#3277)
  chore(deps): update tools to latest versions (#3291)
  fix: don't use builtin scanner in licensecheck (#3290)
  chore(deps): update CPE dictionary index (#3288)
  chore(deps): bump github/codeql-action from 3.26.9 to 3.26.10 (#3289)
  update redis classifier (#3281)
  fix: improve node classifier version matching (#3284)
  fix: update ruby classifier for -rc, -dev, etc. versions (#3285)
  chore(deps): update CPE dictionary index (#3262)
  chore(deps): bump github.com/docker/docker (#3264)
  chore(deps): bump github/codeql-action from 3.26.8 to 3.26.9 (#3275)
  chore(deps): update stereoscope to dc10ea61fd18efa45b516eda4de8bc19d8322429 (#3280)
  chore(deps): bump actions/checkout from 4.1.7 to 4.2.0 (#3283)
  add awaiting response management (#3272)
  fix: correct excluded mount point comparison to file paths (#3269)
  Add JVM cataloger (#3217)
  feat: classifier for Dart lang binaries (#3265)
  Add compliance policy for empty name and version (#3257)
  chore(deps): bump github.com/github/go-spdx/v2 from 2.3.1 to 2.3.2 (#3254)
  chore(deps): bump peter-evans/create-pull-request from 7.0.3 to 7.0.5 (#3255)
  ...
@willmurphyscode willmurphyscode mentioned this pull request Oct 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment