Merge pull request #660 from snyk/feat/CN-70-rpm-source

feat: added source package name and version to purl for rpm packages …

Author: neil-snyk

lib/analyzer/package-managers/rpm.ts

@@ -6,6 +6,7 @@ import {
   AnalyzedPackageWithVersion,
   ImagePackagesAnalysis,
   OSRelease,
+  SourcePackage,
 } from "../types";
 
 export function analyze(
@@ -18,14 +19,15 @@ export function analyze(
     Image: targetImage,
     AnalyzeType: AnalysisType.Rpm,
     Analysis: pkgs.map((pkgInfo) => {
+      const generatedPurl = purl(pkgInfo, repositories, osRelease);
       return {
         Name: pkgInfo.name,
         Version: formatRpmPackageVersion(pkgInfo),
         Source: undefined,
         Provides: [],
         Deps: {},
         AutoInstalled: undefined,
-        Purl: purl(pkgInfo, repositories, osRelease),
+        Purl: generatedPurl,
       };
     }),
   });
@@ -43,6 +45,17 @@ function purl(
     qualifiers.module = modName + ":" + modVersion;
   }
 
+  if (pkg.sourceRPM) {
+    const sourcePackage = parseSourceRPM(pkg.sourceRPM);
+    if (sourcePackage) {
+      let upstream = sourcePackage.name;
+      if (sourcePackage.version) {
+        upstream += `@${sourcePackage.version}`;
+      }
+      qualifiers.upstream = upstream;
+    }
+  }
+
   if (repos.length > 0) {
     qualifiers.repositories = repos.join(",");
   }
@@ -61,13 +74,59 @@ function purl(
     vendor,
     pkg.name,
     formatRpmPackageVersion(pkg),
-    // make sure that we pass in undefined if there are no qualifiers, because
-    // the packageurl-js library doesn't handle that properly...
     Object.keys(qualifiers).length !== 0 ? qualifiers : undefined,
     undefined,
   ).toString();
 }
 
+export function parseSourceRPM(
+  sourceRPM: string | undefined,
+): SourcePackage | undefined {
+  if (!sourceRPM || !sourceRPM.endsWith(".src.rpm")) {
+    return undefined;
+  }
+
+  const baseName = sourceRPM.substring(0, sourceRPM.length - ".src.rpm".length);
+
+  const lastHyphenIdx = baseName.lastIndexOf("-");
+  // Ensure there's something after the last hyphen (release) and something before it (name-version)
+  if (
+    lastHyphenIdx === -1 ||
+    lastHyphenIdx === 0 ||
+    lastHyphenIdx === baseName.length - 1
+  ) {
+    return undefined;
+  }
+
+  const release = baseName.substring(lastHyphenIdx + 1);
+  const nameVersionPart = baseName.substring(0, lastHyphenIdx);
+
+  const secondLastHyphenIdx = nameVersionPart.lastIndexOf("-");
+  // Ensure there's something after the second-last hyphen (version) and something before it (name)
+  if (
+    secondLastHyphenIdx === -1 ||
+    secondLastHyphenIdx === 0 ||
+    secondLastHyphenIdx === nameVersionPart.length - 1
+  ) {
+    return undefined;
+  }
+
+  const version = nameVersionPart.substring(secondLastHyphenIdx + 1);
+  const name = nameVersionPart.substring(0, secondLastHyphenIdx);
+
+  // Final check for empty parts, which could happen with malformed inputs
+  // or if hyphens were at the very start/end of segments.
+  if (!name || !version || !release) {
+    return undefined;
+  }
+
+  return {
+    name,
+    version,
+    release,
+  };
+}
+
 export function mapRpmSqlitePackages(
   targetImage: string,
   rpmPackages: PackageInfo[],
@@ -78,14 +137,16 @@ export function mapRpmSqlitePackages(
 
   if (rpmPackages) {
     analysis = rpmPackages.map((pkg) => {
+      const generatedPurl = purl(pkg, repositories, osRelease);
+
       return {
         Name: pkg.name,
         Version: formatRpmPackageVersion(pkg),
         Source: undefined,
         Provides: [],
         Deps: {},
         AutoInstalled: undefined,
-        Purl: purl(pkg, repositories, osRelease),
+        Purl: generatedPurl,
       };
     });
   }

lib/analyzer/types.ts

@@ -108,3 +108,9 @@ export interface DestinationDir {
   name: string;
   removeCallback: () => void;
 }
+
+export interface SourcePackage {
+  name: string;
+  version: string;
+  release: string;
+}

lib/sub-process.ts

@@ -12,7 +12,10 @@ function execute(
   args: string[],
   options?,
 ): Promise<CmdOutput> {
-  const spawnOptions: any = { shell: true, env: { ...process.env } };
+  const spawnOptions: any = {
+    shell: process.platform !== "win32" ? "/bin/bash" : true,
+    env: { ...process.env },
+  };
   if (options && options.cwd) {
     spawnOptions.cwd = options.cwd;
   }

test/README.md

@@ -10,12 +10,12 @@ To run system tests the following environment variables need to be set:
 
 This is an image that is hosted on Docker Hub but not available publicly.
 Note that the variables above are used purely for system test and are unrelated to the `SNYK_REGISTRY_USERNAME
-` / `SNYK_REGISTRY_PASSWORD` environment variables which may be present at runtime.
+` / `SNYK_REGISTRY_PASSWORD` environment variables which need to be present at runtime and can be found in 1password.
 
 If tests should fail because that config hasn't been done, some artifacts will be left over/my_custom/image/save/path
 /auth/{someGuid}. This needs to be manually deleted before subsequent runs to avoid more failures.
 
-Additionally, you should have Docker installed and the Docker daemon should be running. This is because some tests require pulling container images beforehand and also other tests check functionality like pulling directly from the Docker socket.
+Additionally, you should have Docker installed and the Docker daemon should be running. This is because some tests require pulling container images beforehand and also other tests check functionality like pulling directly from the Docker socket. Also double check that `Use containerd for pulling and storing images` is unchecked in Docker desktop settings as using `containerd` leads to issues with SHA's not matching in some tests.
 
 ## Writing tests
 

test/fixtures/rpm/source_rpms.csv

@@ -0,0 +1 @@
+redhat-release-10.0-29.el10.src.rpm,gcc-14.2.1-7.el10.src.rpm,setup-2.14.5-4.el10.src.rpm,fonts-rpm-macros-2.0.5-18.el10.src.rpm,tzdata-2025a-1.el10.src.rpm,filesystem-3.18-16.el10.src.rpm,google-noto-fonts-20240401-5.el10.src.rpm,subscription-manager-rhsm-certificates-20220623-6.el10.src.rpm,google-noto-fonts-20240401-5.el10.src.rpm,google-noto-fonts-20240401-5.el10.src.rpm,google-noto-fonts-20240401-5.el10.src.rpm,basesystem-11-22.el10.src.rpm,redhat-fonts-4.0.3-14.el10.src.rpm,redhat-fonts-4.0.3-14.el10.src.rpm,langpacks-4.1-3.el10.src.rpm,langpacks-4.1-3.el10.src.rpm,langpacks-4.1-3.el10.src.rpm,vim-9.1.083-5.el10.src.rpm,pcre2-10.44-1.el10.3.src.rpm,ncurses-6.4-14.20240127.el10.src.rpm,glibc-2.39-37.el10.src.rpm,glibc-2.39-37.el10.src.rpm,glibc-2.39-37.el10.src.rpm,ncurses-6.4-14.20240127.el10.src.rpm,bash-5.2.26-6.el10.src.rpm,zlib-ng-2.2.3-1.el10.src.rpm,bzip2-1.0.8-25.el10.src.rpm,util-linux-2.40.2-10.el10.src.rpm,xz-5.6.2-3.el10.src.rpm,util-linux-2.40.2-10.el10.src.rpm,libffi-3.4.4-9.el10.src.rpm,libxcrypt-4.4.36-10.el10.src.rpm,zstd-1.5.5-9.el10.src.rpm,elfutils-0.192-5.el10.src.rpm,popt-1.19-8.el10.src.rpm,libxml2-2.12.5-5.el10_0.src.rpm,crypto-policies-20250214-1.gitfd9b9b9.el10.src.rpm,readline-8.2-11.el10.src.rpm,attr-2.5.2-5.el10.src.rpm,acl-2.3.2-4.el10.src.rpm,util-linux-2.40.2-10.el10.src.rpm,gcc-14.2.1-7.el10.src.rpm,pcre2-10.44-1.el10.3.src.rpm,sqlite-3.46.1-3.el10.src.rpm,dmidecode-3.6-3.el10.src.rpm,expat-2.6.4-1.el10.src.rpm,gdbm-1.23-11.el10_0.src.rpm,json-c-0.18-3.el10.src.rpm,keyutils-1.6.3-5.el10.src.rpm,libcap-ng-0.8.4-6.el10.src.rpm,audit-4.0.3-1.el10.src.rpm,libeconf-0.6.2-4.el10.src.rpm,pam-1.6.1-7.el10.src.rpm,libcap-2.69-7.el10.src.rpm,systemd-257-9.el10.src.rpm,libtasn1-4.20.0-1.el10.src.rpm,p11-kit-0.25.5-7.el10.src.rpm,grep-3.11-10.el10.src.rpm,libbpf-1.5.0-4.el10.src.rpm,util-linux-2.40.2-10.el10.src.rpm,gmp-6.2.1-10.el10.src.rpm,libsepol-3.8-1.el10.src.rpm,libselinux-3.8-1.el10.src.rpm,coreutils-9.5-6.el10.src.rpm,util-linux-2.40.2-10.el10.src.rpm,sed-4.9-3.el10.src.rpm,util-linux-2.40.2-10.el10.src.rpm,findutils-4.10.0-5.el10.src.rpm,libunistring-1.1-10.el10.src.rpm,libidn2-2.3.7-3.el10.src.rpm,lua-5.4.6-7.el10.src.rpm,gzip-1.13-3.el10.src.rpm,cracklib-2.9.11-8.el10.src.rpm,cracklib-2.9.11-8.el10.src.rpm,libpwquality-1.4.5-12.el10.src.rpm,openssl-fips-provider-3.0.7-6.el10.src.rpm,openssl-fips-provider-3.0.7-6.el10.src.rpm,which-2.21-43.el10.src.rpm,libsemanage-3.8-1.el10.src.rpm,shadow-utils-4.15.0-5.el10.src.rpm,libutempter-1.2.1-15.el10.src.rpm,mpfr-4.2.1-5.el10.src.rpm,gawk-5.3.0-6.el10.src.rpm,dbus-1.14.10-5.el10.src.rpm,keyutils-1.6.3-5.el10.src.rpm,gdbm-1.23-11.el10_0.src.rpm,libcomps-0.1.21-3.el10.src.rpm,attr-2.5.2-5.el10.src.rpm,file-5.45-7.el10.src.rpm,dbus-1.14.10-5.el10.src.rpm,dbus-broker-36-1.el10.src.rpm,dbus-1.14.10-5.el10.src.rpm,psmisc-23.6-8.el10.src.rpm,chkconfig-1.30-2.el10.src.rpm,p11-kit-0.25.5-7.el10.src.rpm,ca-certificates-2024.2.69_v8.0.303-102.3.el10.src.rpm,openssl-3.2.2-16.el10.src.rpm,pam-1.6.1-7.el10.src.rpm,rust-rpm-sequoia-1.6.0-6.el10.src.rpm,rpm-4.19.1.1-12.el10.src.rpm,libsolv-0.7.29-7.el10.src.rpm,tpm2-tss-4.1.3-5.el10.src.rpm,ima-evm-utils-1.6.2-1.el10.src.rpm,rpm-4.19.1.1-12.el10.src.rpm,python-pip-23.3.2-7.el10.src.rpm,gnutls-3.8.9-9.el10.src.rpm,glib2-2.80.4-4.el10.src.rpm,gobject-introspection-1.79.1-6.el10.src.rpm,json-glib-1.8.0-5.el10.src.rpm,librhsm-0.0.3-16.el10.src.rpm,e2fsprogs-1.47.1-3.el10.src.rpm,gcc-14.2.1-7.el10.src.rpm,libmnl-1.0.5-7.el10.src.rpm,iproute-6.11.0-1.el10.src.rpm,nghttp2-1.64.0-2.el10.src.rpm,libseccomp-2.5.3-10.el10.src.rpm,libverto-0.3.2-10.el10.src.rpm,krb5-1.21.3-7.el10.src.rpm,curl-8.9.1-5.el10.src.rpm,librepo-1.18.0-3.el10.src.rpm,curl-8.9.1-5.el10.src.rpm,libyaml-0.2.5-16.el10.src.rpm,libmodulemd-2.15.0-12.el10.src.rpm,libdnf-0.73.1-7.el10.src.rpm,subscription-manager-1.30.5-1.el10.src.rpm,lz4-1.9.4-8.el10.src.rpm,libarchive-3.7.7-1.el10.src.rpm,util-linux-2.40.2-10.el10.src.rpm,authselect-1.5.0-8.el10.src.rpm,elfutils-0.192-5.el10.src.rpm,elfutils-0.192-5.el10.src.rpm,systemd-257-9.el10.src.rpm,systemd-257-9.el10.src.rpm,rpm-4.19.1.1-12.el10.src.rpm,virt-what-1.27-2.el10.src.rpm,mpdecimal-2.5.1-12.el10.src.rpm,python3.12-3.12.9-1.el10.src.rpm,python3.12-3.12.9-1.el10.src.rpm,dbus-python-1.3.2-8.el10.src.rpm,libdnf-0.73.1-7.el10.src.rpm,libdnf-0.73.1-7.el10.src.rpm,pygobject3-3.46.0-7.el10.src.rpm,pygobject3-3.46.0-7.el10.src.rpm,python-idna-3.7-4.el10.src.rpm,rpm-4.19.1.1-12.el10.src.rpm,python-six-1.16.0-16.el10.src.rpm,python-dateutil-2.8.2-15.el10.src.rpm,python-iniparse-0.5-10.el10.src.rpm,python-urllib3-1.26.19-2.el10.src.rpm,libcomps-0.1.21-3.el10.src.rpm,librepo-1.18.0-3.el10.src.rpm,python-charset-normalizer-3.3.2-7.el10.src.rpm,python-requests-2.32.3-2.el10.src.rpm,subscription-manager-1.30.5-1.el10.src.rpm,subscription-manager-1.30.5-1.el10.src.rpm,python-decorator-5.1.1-12.el10.src.rpm,python-inotify-0.9.6-36.el10.src.rpm,python-systemd-235-11.el10.src.rpm,dnf-4.20.0-11.el10.src.rpm,dnf-4.20.0-11.el10.src.rpm,dnf-4.20.0-11.el10.src.rpm,dnf-plugins-core-4.7.0-8.el10.src.rpm,subscription-manager-1.30.5-1.el10.src.rpm,dnf-4.20.0-11.el10.src.rpm,crypto-policies-20250214-1.gitfd9b9b9.el10.src.rpm,authselect-1.5.0-8.el10.src.rpm,rpm-4.19.1.1-12.el10.src.rpm,tar-1.35-7.el10.src.rpm,vim-9.1.083-5.el10.src.rpm,gdb-14.2-4.el10.src.rpm,langpacks-4.1-3.el10.src.rpm,rootfiles-8.1-41.el10.src.rpm

test/lib/analyzer/package-managers/rpm.spec.ts

@@ -1,88 +1,114 @@
-import { PackageInfo } from "@snyk/rpm-parser/lib/rpm/types";
-import { mapRpmSqlitePackages } from "../../../../lib/analyzer/package-managers/rpm";
+import * as fs from "fs";
+import * as path from "path";
+import { parseSourceRPM } from "../../../../lib/analyzer/package-managers/rpm";
+import { SourcePackage } from "../../../../lib/analyzer/types";
 
-describe("Correctly maps RPM package version", () => {
-  it("formats version without epoch", () => {
-    const mappedResults = mapRpmSqlitePackages(
-      "image",
-      [
-        {
-          name: "pkg1",
-          version: "1.2.3",
-          release: "1",
-          size: 1,
-        },
-      ],
-      [],
+describe("parseSourceRPM", () => {
+  it("should correctly parse all valid source RPM strings from source_rpms.csv", () => {
+    const csvFilePath = path.join(
+      __dirname,
+      "../../../../test/fixtures/rpm/source_rpms.csv",
     );
+    let fileContent;
+    try {
+      fileContent = fs.readFileSync(csvFilePath, "utf-8");
+    } catch (error) {
+      throw new Error(
+        `Failed to read source_rpms.csv: ${error.message}. Please ensure the file exists at test/fixtures/rpm/source_rpms.csv.`,
+      );
+    }
+
+    const sourceRpmStrings = fileContent
+      .split(",")
+      .filter((s) => s.trim() !== "");
+
+    if (sourceRpmStrings.length === 0) {
+      console.warn(
+        "source_rpms.csv is empty or contains no valid entries. Test will pass trivially.",
+      );
+      return;
+    }
 
-    const expected = [
-      {
-        Name: "pkg1",
-        Version: "1.2.3-1",
-        Source: undefined,
-        Provides: [],
-        Deps: {},
-        AutoInstalled: undefined,
-        Purl: "pkg:rpm/pkg1@1.2.3-1",
-      },
-    ];
-    expect(mappedResults.Analysis).toMatchObject(expected);
+    let failedCount = 0;
+    sourceRpmStrings.forEach((rpmString) => {
+      const parsed = parseSourceRPM(rpmString.trim());
+
+      try {
+        expect(parsed).toBeDefined();
+        if (parsed) {
+          expect(parsed.name).toEqual(expect.any(String));
+          expect(parsed.name.length).toBeGreaterThan(0);
+          expect(parsed.version).toEqual(expect.any(String));
+          expect(parsed.version.length).toBeGreaterThan(0);
+          expect(parsed.release).toEqual(expect.any(String));
+          expect(parsed.release.length).toBeGreaterThan(0);
+        }
+      } catch (e) {
+        console.error(`Failed to parse or assert: '${rpmString}'`, e);
+        failedCount++;
+      }
+    });
+
+    if (failedCount > 0) {
+      throw new Error(
+        `${failedCount} out of ${sourceRpmStrings.length} RPM strings failed parsing or assertion.`,
+      );
+    }
+    expect(failedCount).toBe(0);
   });
-  it("formats version with epoch == 0", () => {
-    const mappedResults = mapRpmSqlitePackages(
-      "image",
-      [
-        {
-          name: "pkg2",
-          version: "1.2.3",
-          release: "2",
-          epoch: 0,
-          size: 1,
-        },
-      ],
-      [],
-    );
 
-    const expected = [
-      {
-        Name: "pkg2",
-        Version: "1.2.3-2",
-        Source: undefined,
-        Provides: [],
-        Deps: {},
-        AutoInstalled: undefined,
-        Purl: "pkg:rpm/pkg2@1.2.3-2",
-      },
-    ];
-    expect(mappedResults.Analysis).toMatchObject(expected);
+  // Add more specific test cases if needed
+  it("should return undefined for invalid or malformed source RPM strings", () => {
+    expect(parseSourceRPM("invalid-rpm-string")).toBeUndefined();
+    expect(parseSourceRPM("nameonly.src.rpm")).toBeUndefined();
+    expect(parseSourceRPM("name-versiononly.src.rpm")).toBeUndefined();
+    expect(parseSourceRPM("name-1.2.3-.src.rpm")).toBeUndefined(); // empty release
+    expect(parseSourceRPM("name--release.src.rpm")).toBeUndefined(); // empty version
+    expect(parseSourceRPM("-version-release.src.rpm")).toBeUndefined(); // empty name
+    expect(parseSourceRPM("not-an-rpm-at-all")).toBeUndefined();
+    expect(parseSourceRPM("")).toBeUndefined();
+    expect(parseSourceRPM(undefined)).toBeUndefined();
   });
-  it("formats version with epoch", () => {
-    const mappedResults = mapRpmSqlitePackages(
-      "image",
+
+  it("should correctly parse known valid source RPM strings", () => {
+    const cases: Array<{ input: string; expected: SourcePackage | undefined }> =
       [
         {
-          name: "pkg3",
-          version: "1.2.3",
-          release: "3",
-          epoch: 1,
-          size: 1,
+          input: "bash-5.1.16-4.el9.src.rpm",
+          expected: {
+            name: "bash",
+            version: "5.1.16",
+            release: "4.el9",
+          },
         },
-      ],
-      [],
-    );
+        {
+          input: "libreport-filesystem-2.17.11-1.fc38.src.rpm",
+          expected: {
+            name: "libreport-filesystem",
+            version: "2.17.11",
+            release: "1.fc38",
+          },
+        },
+        {
+          input: "kernel-6.5.0-0.rc1.20230722gitb1c0ddc7f7e1.42.fc39.src.rpm",
+          expected: {
+            name: "kernel",
+            version: "6.5.0",
+            release: "0.rc1.20230722gitb1c0ddc7f7e1.42.fc39",
+          },
+        },
+        {
+          input: "hyphen-name-package-1.2.3-1.src.rpm",
+          expected: {
+            name: "hyphen-name-package",
+            version: "1.2.3",
+            release: "1",
+          },
+        },
+      ];
 
-    const expected = [
-      {
-        Name: "pkg3",
-        Version: "1:1.2.3-3",
-        Source: undefined,
-        Provides: [],
-        Deps: {},
-        AutoInstalled: undefined,
-        Purl: "pkg:rpm/pkg3@1:1.2.3-3?epoch=1",
-      },
-    ];
-    expect(mappedResults.Analysis).toMatchObject(expected);
+    for (const tc of cases) {
+      expect(parseSourceRPM(tc.input)).toEqual(tc.expected);
+    }
   });
 });