Skip to content

Container scanning dependency list ignores language packages

Summary

Currently, when parsing the dependency scanning report, we select the results with Class == "os-pkgs" and ignore the rest, which means that language packages do not get populated into the report.

Steps to reproduce

  1. CS_DISABLE_DEPENDENCY_SCAN='false' bundle exec ./exe/gtcs scan docker.io/dnurmi/testrepo:jarjar

  2. The report should contain "org.apache.logging.log4j:log4j-core", but it does not.

    jq '.dependency_files[].dependencies[] | select(.package.name == "org.apache.logging.log4j:log4j-core")' < gl-dependency-scanning-report.json

What is the current bug behavior?

Language packages are ignored.

What is the expected correct behavior?

They should not be.

Possible fixes

In the converter, we need to not select just the os-pkgs results:

diff --git a/lib/gcs/dependency_list_converter.rb b/lib/gcs/dependency_list_converter.rb
index 8c8c3a0..097f743 100644
--- a/lib/gcs/dependency_list_converter.rb
+++ b/lib/gcs/dependency_list_converter.rb
@@ -53,14 +53,13 @@ module Gcs
 
     def convert_dependencies(results)
       results
-        .select { |result| result['Class'] == 'os-pkgs' }
         .flat_map do |result|
           result['Packages'].map do |package|
             {
               'package' => {
-                'name' => package['SrcName']
+                'name' => package['SrcName'] || package['Name']
               },
-              'version' => package['SrcVersion']
+              'version' => package['SrcVersion'] || package['Version']
             }
           end
         end

Open question: Is Name and Version used for all languages? SrcName and SrcVersion keys are absent for Java packages.

Edited by Brian Williams