Relativize CycloneDX-JSON file component paths against --base-path#4966
Relativize CycloneDX-JSON file component paths against --base-path#4966AgentGymLeader wants to merge 2 commits into
Conversation
The CycloneDX-JSON encoder set the file component name from metadata.Path (the raw, non-chrooted indexer path), so --base-path did not strip the host prefix the way it does for SPDX-JSON (which uses the base-relative Coordinates.RealPath). Use the base-relative RealPath for the CycloneDX file component name so both formats stay consistent and the SBOM no longer leaks absolute host paths. Fixes anchore#4592 Signed-off-by: AgentGymLeader <AgentGymLeader@users.noreply.github.com>
|
@kzantow the one thing still open is whether the shared helper should use AccessPath or stay on RealPath. Both encoders run through it now, so I can move them together either way. Let me know which you'd prefer and I'll push the update. |
|
|
||
| relPath, found := strings.CutPrefix(absPath, "/") | ||
| if !found { | ||
| return "", fmt.Errorf("error calculating relative path: %s", absPath) |
There was a problem hiding this comment.
This function returns an error converting a relative path to a relative path?
| } | ||
|
|
||
| cdxHashes := digestsToHashes(digests) | ||
| relativePath, err := formatinternal.ConvertAbsoluteToRelative(coordinate.RealPath) |
There was a problem hiding this comment.
As was noted on the issue, converting the RealPath to a relative path in this manner seems like the wrong thing to do: if I scanned /subdir and there's a symlink to ../foo, this would be resolved to the absolute path of /foo, which is a RealPath, which then would be converted to the relative path foo, but there is no /subdir/foo. As noted in another comment, this should probably be ../foo
| "github.com/anchore/syft/syft/artifact" | ||
| "github.com/anchore/syft/syft/file" | ||
| formatInternal "github.com/anchore/syft/syft/format/internal" | ||
| formatinternal "github.com/anchore/syft/syft/format/internal" |
There was a problem hiding this comment.
nit: can we avoid these import renames?
| "strings" | ||
| ) | ||
|
|
||
| func ConvertAbsoluteToRelative(absPath string) (string, error) { |
There was a problem hiding this comment.
I think this should be something like what filepath.Rel is doing, though I don't think we can use that function because the paths here are normalized to forwards slashes
File paths were produced by stripping a prefix, so a file whose real path escapes the scan --base-path (e.g. via a symlink) collapsed to 'foo' instead of the correct '../foo'. Add a forward-slash filepath.Rel-style helper and use it when the source is a directory scan with a base set; other source types keep the existing behavior. Also drop the unnecessary error return from the relative-path helpers. Signed-off-by: AgentGymLeader <AgentGymLeader@users.noreply.github.com>
|
@kzantow thanks, addressed in 6f8c004:
|
2 participants
Description
CycloneDX-JSON file components emitted absolute host paths even when
--base-pathwas set, while SPDX-JSON correctly emitted base-relative paths. The CycloneDX encoder set the file componentNamefrommetadata.Path(the raw, non-chrooted indexer path), so the host prefix was never stripped.This makes CycloneDX match SPDX. SPDX's
toFilesrelativizes each file viaconvertAbsoluteToRelative(coordinate.RealPath). I lifted that helper intosyft/format/internal.ConvertAbsoluteToRelativeso both encoders share one implementation (SPDX now delegates to it, with no behavior change) and used it for the CycloneDX file component name with the same error → fall-back-to-RealPathbehavior.@kzantow — thanks for the pointer on the issue. I went with the existing SPDX
convertAbsoluteToRelative(RealPath)path rather thanAccessPath, to keep the two encoders consistent and reuse the logic that already ships. Happy to switch the shared helper toAccessPathif you'd prefer that for the symlink-dedup cases you mentioned — since it's now shared, that would move both formats together.Before / After (a file's CycloneDX
components[].name, scanned with--base-path)/abs/scan/root/usr/bin/foousr/bin/foo(matches SPDX-JSON)Type of change
Checklist
Issue references
Fixes #4592