Skip to content

fix: vulnerability scans with extensions#473

Merged
talos-bot merged 1 commit into
siderolabs:mainfrom
frezbo:fix/vulnerability-scans-with-extensions
Jun 1, 2026
Merged

fix: vulnerability scans with extensions#473
talos-bot merged 1 commit into
siderolabs:mainfrom
frezbo:fix/vulnerability-scans-with-extensions

Conversation

@frezbo

@frezbo frezbo commented Jun 1, 2026

Copy link
Copy Markdown
Member

When adding extensions grype was unable to match the suppressions due to the way we were generating sboms. So let's add a root identifier and put all others as a reference.

Copilot AI review requested due to automatic review settings June 1, 2026 14:48
@github-project-automation github-project-automation Bot moved this to To Do in Planning Jun 1, 2026
@talos-bot talos-bot moved this from To Do to In Review in Planning Jun 1, 2026

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adjusts the enterprise SPDX bundle merge logic so the merged document has a single, stable “DOCUMENT-DESCRIBES” root package (with all per-source roots referenced beneath it), improving grype’s ability to match OpenVEX suppressions when extensions are included.

Changes:

  • Add an explicit synthetic root package (DocumentRoot-Directory-talos) to the merged SPDX document and ensure the document describes only that root.
  • Rewrite per-source DOCUMENT DESCRIBES <root> relationships into CONTAINS relationships under the synthetic root during merge.
  • Introduce TalosPackageName (enterprise build) and add a regression test asserting the single-root invariants.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

File Description
pkg/constants/name_ent_on.go Introduces TalosPackageName and derives TalosPURL from it for consistent naming.
enterprise/spdx/builder/spdx.go Adds a synthetic root package and re-parents per-source roots under it to preserve a single DOCUMENT-DESCRIBES root.
enterprise/spdx/builder/spdx_test.go Adds a regression test ensuring a single described root and correct root metadata for syft/grype matching.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread enterprise/spdx/builder/spdx_test.go Outdated
Comment thread enterprise/spdx/builder/spdx_test.go
Comment thread enterprise/spdx/builder/spdx_test.go Outdated
Comment thread enterprise/spdx/builder/spdx_test.go
When adding extensions grype was unable to match the suppressions due to
the way we were generating sboms. So let's add a root identifier and put
all others as a reference.

Signed-off-by: Noel Georgi <git@frezbo.dev>
@frezbo frezbo force-pushed the fix/vulnerability-scans-with-extensions branch from 6a96a3e to b5d3d92 Compare June 1, 2026 15:23
@github-project-automation github-project-automation Bot moved this from In Review to Approved in Planning Jun 1, 2026
@frezbo

frezbo commented Jun 1, 2026

Copy link
Copy Markdown
Member Author

/m

@talos-bot talos-bot merged commit b5d3d92 into siderolabs:main Jun 1, 2026
21 checks passed
@github-project-automation github-project-automation Bot moved this from Approved to Done in Planning Jun 1, 2026
@frezbo frezbo deleted the fix/vulnerability-scans-with-extensions branch June 1, 2026 16:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Archived in project

Development

Successfully merging this pull request may close these issues.

4 participants