Description
If there are 2 (or more) components that depend on each other (infinite loop):
Trivy thinks the component has a parent component and does not link it to the root component (OS component):
|
func (*Encoder) belongToParent(pkg ftypes.Package, parents map[string]ftypes.Packages, hasRoot bool) bool { |
|
// Case 1: Relationship: known , DependsOn: known |
|
// Packages with no parent are included in the parent |
|
// - Relationship: |
|
// - Root: true (it doesn't have a parent) |
|
// - Workspace: false (it always has a parent) |
|
// - Direct: |
|
// - No root dependency in the project: true (e.g., poetry.lock) |
|
// - Otherwise: false (Direct dependencies should belong to the root/workspace) |
|
// - Indirect: false (it always has a parent) |
|
// Case 2: Relationship: unknown, DependsOn: unknown (e.g., conan lockfile v2) |
|
// All packages are included in the parent |
|
// Case 3: Relationship: known , DependsOn: unknown (e.g., go.mod without $GOPATH) |
|
// All packages are included in the parent |
|
// Case 4: Relationship: unknown, DependsOn: known (e.g., GoBinaries, OS packages) |
|
// - Packages with parents: false. These packages are included in the packages from `parents` (e.g. GoBinaries deps and root package). |
|
// - Packages without parents: true. These packages are included in the parent (e.g. OS packages without parents). |
|
if pkg.Relationship == ftypes.RelationshipDirect { |
|
return !hasRoot |
|
} |
|
|
|
return len(parents[pkg.ID]) == 0 |
this results in these packages being orphans (and Trivy decoding them incorrectly).
See example in #9006 (comment)
Discussed in #9006
