feat: expose rpm signature information

This helps with more confident identification of an rpm. In theory, two rpms can be built that have the same purl string, and otherwise look identical in syft's output, but the PGP information would distinguish them as signed either by different keys, or signed at different times. In practice, this usually makes no difference since rpms tend to have unique name/version/release strings. This just gives increased confidence about the identity of the rpm found in the db. Signed-off-by: Ralph Bean <[email protected]>
anchore · Aug 30, 2024 · e8575eb · e8575eb
1 parent f2caf45
commit e8575eb
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 0 deletions.
diff --git a/syft/pkg/cataloger/redhat/parse_rpm_db.go b/syft/pkg/cataloger/redhat/parse_rpm_db.go
@@ -71,6 +71,7 @@ func parseRpmDB(_ context.Context, resolver file.Resolver, env *generic.Environm
 			Arch:            entry.Arch,
 			Release:         entry.Release,
 			SourceRpm:       entry.SourceRpm,
+			PGP:             entry.PGP,
 			Vendor:          entry.Vendor,
 			Size:            entry.Size,
 			ModularityLabel: &entry.Modularitylabel,

diff --git a/syft/pkg/rpm.go b/syft/pkg/rpm.go
@@ -32,6 +32,7 @@ type RpmDBEntry struct {
 	Arch            string          `json:"architecture"`
 	Release         string          `json:"release" cyclonedx:"release"`
 	SourceRpm       string          `json:"sourceRpm" cyclonedx:"sourceRpm"`
+	PGP             string          `json:"pgp" cyclonedx:"pgp"`
 	Size            int             `json:"size" cyclonedx:"size"`
 	Vendor          string          `json:"vendor"`
 	ModularityLabel *string         `json:"modularityLabel,omitempty"`