Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: remove second call to finalize as the task handles it #2516

Merged
merged 2 commits into from
Jan 19, 2024
Merged

fix: remove second call to finalize as the task handles it #2516

merged 2 commits into from
Jan 19, 2024

Conversation

spiffcs
Copy link
Contributor

@spiffcs spiffcs commented Jan 19, 2024
edited
Loading

Summary

Closes #2509

This PR removes the double call to relationships.Finalize.

To validate the fix run the following using the latest release of syft:

syft cgr.dev/chainguard/coredns@sha256:238f7d4cff40ffa7262ae5508481722fe3213e4aae1e61a1425f07f4ae2e4d71 -qo json | jq .artifactRelationships > test.json

Then using this gist you can evaluate the output relationships from above and find the dupes:
https://gist.github.com/spiffcs/72b641f04ac79d160ce079bcd3816382

Duplicate relationship: Parent=007a689559786815, Child=0fdca611631006c5 Type=ownership-by-file-overlap
Duplicate relationship: Parent=007a689559786815, Child=fe672ea9910662d8 Type=evident-by
Duplicate relationship: Parent=014167b5dbcc5b66, Child=2d14b57d501102cf Type=evident-by
Duplicate relationship: Parent=02619b1e06d34738, Child=2d14b57d501102cf Type=evident-by
Duplicate relationship: Parent=03dd022f997618f7, Child=2d14b57d501102cf Type=evident-by
Duplicate relationship: Parent=04e552bdca0b46d0, Child=2d14b57d501102cf Type=evident-by
Duplicate relationship: Parent=0c54b26b7af957a5, Child=2d14b57d501102cf Type=evident-by
Duplicate relationship: Parent=0dbbe7127f2505bf, Child=2d14b57d501102cf Type=evident-by
Duplicate relationship: Parent=0e1e0f87146ef9a2, Child=2d14b57d501102cf Type=evident-by
Duplicate relationship: Parent=0f024cac5c4c3f57, Child=2d14b57d501102cf Type=evident-by
Duplicate relationship: Parent=0fdca611631006c5, Child=d2414b428d31083d Type=evident-by
Duplicate relationship: Parent=19408370ed916ebd, Child=2d14b57d501102cf Type=evident-by
Duplicate relationship: Parent=1e3d85055de3fdbe, Child=2d14b57d501102cf Type=evident-by
...

Run the same command as above using the tip of this branch:

go run cmd/syft/main.go cgr.dev/chainguard/coredns@sha256:238f7d4cff40ffa7262ae5508481722fe3213e4aae1e61a1425f07f4ae2e4d71 -qo json | jq .artifactRelationships > test.json

And then rerun the gist again on the output:
https://gist.github.com/spiffcs/72b641f04ac79d160ce079bcd3816382

There should no longer be any duplicates shown in the output

...

An integration test has also been added to project against this regression going forward where duplicate edges are not tolerated for the given image-pkg-coverage. The test was checked for failure against the change and shown to fail if the second Finalize call was not removed

Screenshot 2024-01-19 at 2 02 45 PM

@spiffcs spiffcs added the bug Something isn't working label Jan 19, 2024
@spiffcs spiffcs requested review from wagoodman and a team January 19, 2024 19:02
@spiffcs spiffcs merged commit 22f3a29 into main Jan 19, 2024
11 checks passed
@spiffcs spiffcs deleted the 2509-duplicate-relationship-final-sbom branch January 19, 2024 19:12
@spiffcs spiffcs mentioned this pull request Jan 19, 2024
Closed
@timsutton timsutton mentioned this pull request Jan 20, 2024
Merged
GijsCalis pushed a commit to GijsCalis/syft that referenced this pull request Feb 19, 2024
@spiffcs
fix: remove second call to finalize as the task handles it (anchore#2516
5bfbd7f 
)

* fix: remove second call to finalize as the task handles it

Signed-off-by: Christopher Phillips <[email protected]>

* test: add test to protect against dupe relationships in final SBOM

Signed-off-by: Christopher Phillips <[email protected]>

---------

Signed-off-by: Christopher Phillips <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kzantow kzantow kzantow approved these changes

@wagoodman wagoodman wagoodman approved these changes

Assignees
No one assigned
Labels
bug Something isn't working
Projects
OSS
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Duplicate relationships in final SBOM
3 participants
@spiffcs @wagoodman @kzantow