Skip to content

Strip namespaces from OS component names

Oscar Tovar requested to merge otovar/strip-namespaces-when-building-findings-from-os-components into master

What does this MR do and why?

The namespace is included for most OS package types, and if not removed, will cause findings created by Continous Container Scanning to deviate from the output format established by the container-scanning analyzer. To maintain parity, we now remove the namespace from specific PURL types. Namely, we remove the namespace from components with the apk, deb, and rpm PURL types. This means that we'll now parse a component name like debian/curl and transform it to curl which is the current behavior.

Relates to #442847 (closed)

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before:

vulnerable package name contains the namespace value e.g. debian, alpine, etc.

After:

vulnerable package name now omits the namespace value e.g. debian, alpine, etc.

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

Edited by Oscar Tovar

Merge request reports