Skip to content

fix(spdx): populate package locations from SPDX relationships #4153

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix(spdx): populate package locations from SPDX relationships #4153

wants to merge 2 commits into from
+610 −0

Conversation

nlamot
Copy link

@nlamot nlamot commented Aug 22, 2025

Description

Extract file locations from SPDX File-Package relationships during SPDX document decoding to ensure packages have proper location information instead of null values.

  • Add populatePackageLocationsFromRelationships() function
  • Support evident-by comments (Syft SBOMs) and CONTAINS relationships
  • Remove package locations based on CONTAINS relationships like license information
  • Integrate into ToSyftModel() pipeline
  • Add comprehensive test coverage
  • Maintain backward compatibility

This fixes null locations in Grype vulnerability reports for SPDX SBOMs.

Type of change

  • Bug fix (non-breaking change which fixes an issue)

Checklist:

  • I have added unit tests that cover changed behavior
  • I have tested my code in common scenarios and confirmed there are no regressions
  • I have added comments to my code, particularly in hard-to-understand sections

nlamot added 2 commits August 22, 2025 07:09
@nlamot
fix(spdx): populate package locations from SPDX relationships
03e16e9 
Resolves anchore#4028

Extract file locations from SPDX File-Package relationships during
SPDX document decoding to ensure packages have proper location
information instead of null values.

- Add populatePackageLocationsFromRelationships() function
- Support evident-by comments (Syft SBOMs) and CONTAINS relationships
- Integrate into ToSyftModel() pipeline
- Add comprehensive test coverage
- Maintain backward compatibility

This fixes null locations in Grype vulnerability reports for SPDX SBOMs.

Signed-off-by: Nils Lamot <[email protected]>
@nlamot
fix(spdx): filter license and doc files from package location discovery
e8278a5 
Improve SPDX relationship processing to exclude license files, documentation,
and man pages from package location evidence. Refactor populatePackageLocationsFromRelationships
into smaller functions and add comprehensive test coverage for file filtering logic.

Signed-off-by: Nils Lamot <[email protected]>
@nlamot
Copy link
Author

nlamot commented Aug 22, 2025

Hi @kzantow

Based on the description in the issue, I've implemented a fix. However, I did notice that if we purely use the CONTAINS relationship as evidence, this results in the SBOM identifying things like the LICENSE files in my SPDX SBOMs as the location of a package. I added logic to cope with this, but this logic is rather naive.

Is this an issue in my SBOM? Or is this a general issue and is the way I fixed it acceptable?

Kind regards
Nils

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

SPDX decoding: fill Package Locations field from most appropriate File <-> Package relationship
1 participant
@nlamot