component-detection icon indicating copy to clipboard operation
component-detection copied to clipboard

Published 20 hours ago verified publisher icon microsoft

Preserve Linux source package name

Open tofay opened this issue 2 years ago • 2 comments

I've updated the LinuxComponent to include the source package name where possible.

Why? Many Linux distributions (debian/alpine/mariner) publish CVE data against source package names only, so this is required for users to CVE check against the output of component-detection.

Note: Syft doesn't always provide the source package name (it doesn't appear to provide this for ubuntu packages when the source and binary package names are the same).

This builds on https://github.com/microsoft/component-detection/pull/88, but adds a new field to LinuxComponent instead of of making the Name of LinuxComponent be the source package name iff the distro publishes CVEs against source package name.

tofay avatar Jun 13 '22 10:06 tofay

@JamieMagee you probably have the most context to review this

cobya avatar Jul 05 '22 21:07 cobya

@JamieMagee before I rebase this, is this a change that you'd accept?

My team is currently working around this by discovering source packages where binary name != source name and registering them ourselves, but ideally we wouldn't have to.

tofay avatar Nov 30 '22 20:11 tofay