Skip to content

Commit

Permalink
feat: expose rpm signature information
Browse files Browse the repository at this point in the history
This helps with more confident identification of an rpm.

In theory, two rpms can be built that have the same purl string, and
otherwise look identical in syft's output, but the PGP information
would distinguish them as signed either by different keys, or signed at
different times.

In practice, this usually makes no difference since rpms tend to have
unique name/version/release strings. This just gives increased
confidence about the identity of the rpm found in the db.

Signed-off-by: Ralph Bean <[email protected]>
  • Loading branch information
ralphbean authored and wagoodman committed Sep 9, 2024
1 parent 0a3f513 commit 49dc367
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 0 deletions.
1 change: 1 addition & 0 deletions syft/pkg/cataloger/redhat/parse_rpm_db.go
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,7 @@ func parseRpmDB(_ context.Context, resolver file.Resolver, env *generic.Environm
Arch: entry.Arch,
Release: entry.Release,
SourceRpm: entry.SourceRpm,
PGP: entry.PGP,
Vendor: entry.Vendor,
Size: entry.Size,
ModularityLabel: &entry.Modularitylabel,
Expand Down
1 change: 1 addition & 0 deletions syft/pkg/rpm.go
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ type RpmDBEntry struct {
Arch string `json:"architecture"`
Release string `json:"release" cyclonedx:"release"`
SourceRpm string `json:"sourceRpm" cyclonedx:"sourceRpm"`
PGP string `json:"pgp" cyclonedx:"pgp"`
Size int `json:"size" cyclonedx:"size"`
Vendor string `json:"vendor"`
ModularityLabel *string `json:"modularityLabel,omitempty"`
Expand Down

0 comments on commit 49dc367

Please sign in to comment.