Use files other than system package manager DBs when possible to determine component to layer map

jasonpaulos · jasonpaulos · commit 39b2cff25b17 · 2026-06-25T12:11:42.000-04:00
diff --git a/src/Microsoft.ComponentDetection.Detectors/linux/LinuxScanner.cs b/src/Microsoft.ComponentDetection.Detectors/linux/LinuxScanner.cs
@@ -30,6 +30,21 @@ internal class LinuxScanner : ILinuxScanner
 
     private static readonly IList<string> ScopeSquashedParameter = ["--scope", "squashed"];
 
+    /// <summary>
+    /// Well-known package manager database paths whose layer attribution should be ignored
+    /// when determining which layer a system package belongs to. These files are shared across
+    /// all packages managed by the same package manager and get updated whenever any package is
+    /// installed or removed, causing unrelated packages to appear as modified in later layers.
+    /// </summary>
+    private static readonly HashSet<string> PackageManagerDatabasePaths = new(StringComparer.OrdinalIgnoreCase)
+    {
+        "/var/lib/dpkg/status",
+        "/lib/apk/db/installed",
+        "/var/lib/rpm/Packages",
+        "/var/lib/rpm/Packages.db",
+        "/var/lib/rpm/rpmdb.sqlite",
+    };
+
     private static readonly SemaphoreSlim ContainerSemaphore = new SemaphoreSlim(2);
 
     /// <summary>
@@ -179,11 +194,16 @@ private IEnumerable<LayerMappedLinuxComponents> ProcessSyftOutputWithTelemetry(
             }
         }
 
+        // Build a file path → layerID map from the top-level files listing.
+        // This allows us to determine layer attribution for files owned by a package
+        // even when the artifact's locations only reference the package manager database.
+        var filePathToLayerId = BuildFilePathToLayerMap(syftOutput.Files);
+
         // Create components using only enabled factories
         var componentsWithLayers = validArtifacts
             .DistinctBy(artifact => (artifact.Name, artifact.Version, artifact.Type))
             .Select(artifact =>
-                this.CreateComponentWithLayers(artifact, syftOutput.Distro, enabledFactories)
+                this.CreateComponentWithLayers(artifact, syftOutput.Distro, enabledFactories, filePathToLayerId)
             )
             .Where(result => result.Component != null)
             .Select(result => (Component: result.Component!, result.LayerIds))
@@ -388,7 +408,8 @@ private async Task<string> RunSyftCoreAsync(
     private (TypedComponent? Component, IEnumerable<string> LayerIds) CreateComponentWithLayers(
         ArtifactElement artifact,
         Distro distro,
-        HashSet<IArtifactComponentFactory> enabledFactories
+        HashSet<IArtifactComponentFactory> enabledFactories,
+        Dictionary<string, string> filePathToLayerId
     )
     {
         if (!this.artifactTypeToFactoryLookup.TryGetValue(artifact.Type, out var factory))
@@ -408,12 +429,93 @@ HashSet<IArtifactComponentFactory> enabledFactories
             return (null, []);
         }
 
-        var layerIds = artifact.Locations?.Select(location => location.LayerId).Distinct() ?? [];
-        return (component, layerIds);
+        // Collect layer IDs from the artifact's locations.
+        var locationLayerIds = artifact.Locations?
+            .Select(location => (location.Path, location.LayerId))
+            .ToList() ?? [];
+
+        // Also consult the metadata files property to find additional owned files,
+        // and look up their layer IDs from the top-level file listing.
+        if (artifact.Metadata?.Files != null)
+        {
+            foreach (var file in artifact.Metadata.Files)
+            {
+                var filePath = file.FileFile?.Path;
+                if (!string.IsNullOrEmpty(filePath) && filePathToLayerId.TryGetValue(filePath, out var layerId))
+                {
+                    locationLayerIds.Add((filePath, layerId));
+                }
+            }
+        }
+
+        // Exclude well-known package manager database paths from layer attribution,
+        // unless they are the only known locations for this component.
+        var nonDbLayerIds = locationLayerIds
+            .Where(loc => !IsPackageManagerDatabasePath(loc.Path))
+            .Select(loc => loc.LayerId)
+            .Distinct()
+            .ToList();
+
+        if (nonDbLayerIds.Count > 0)
+        {
+            return (component, nonDbLayerIds);
+        }
+
+        // Fall back to database path layer IDs if no other locations are available.
+        var allLayerIds = locationLayerIds
+            .Select(loc => loc.LayerId)
+            .Distinct()
+            .ToList();
+        return (component, allLayerIds);
     }
 
     /// <summary>
     /// Clears the syft run cache. Intended for test isolation only.
     /// </summary>
     internal static void ResetCache() => SyftRunCache.Clear();
+
+    /// <summary>
+    /// Builds a dictionary mapping file paths to their layer IDs from the top-level
+    /// files listing in the syft output. This enables layer attribution for files
+    /// owned by a package even when the artifact's locations only reference the
+    /// package manager database.
+    /// </summary>
+    private static Dictionary<string, string> BuildFilePathToLayerMap(FileElement[] files)
+    {
+        var map = new Dictionary<string, string>(StringComparer.Ordinal);
+        if (files == null)
+        {
+            return map;
+        }
+
+        foreach (var file in files)
+        {
+            if (file.Location != null && !string.IsNullOrEmpty(file.Location.Path) && !string.IsNullOrEmpty(file.Location.LayerId))
+            {
+                map.TryAdd(file.Location.Path, file.Location.LayerId);
+            }
+        }
+
+        return map;
+    }
+
+    /// <summary>
+    /// Determines whether a file path is a well-known package manager database file
+    /// that should be excluded from layer attribution.
+    /// </summary>
+    private static bool IsPackageManagerDatabasePath(string path)
+    {
+        if (string.IsNullOrEmpty(path))
+        {
+            return false;
+        }
+
+        if (PackageManagerDatabasePaths.Contains(path))
+        {
+            return true;
+        }
+
+        // Cover any file under /var/lib/rpm/ (RPM database can use multiple files)
+        return path.StartsWith("/var/lib/rpm/", StringComparison.OrdinalIgnoreCase);
+    }
 }
diff --git a/src/Microsoft.ComponentDetection.Orchestrator/Services/GraphTranslation/DefaultGraphTranslationService.cs b/src/Microsoft.ComponentDetection.Orchestrator/Services/GraphTranslation/DefaultGraphTranslationService.cs
@@ -44,7 +44,19 @@ public ScanResult GenerateScanResultFromProcessingResult(
         var componentsToOutput = mergedComponents;
         if (settings.FilterBaseImageComponents)
         {
-            componentsToOutput = FilterOutBaseImageComponents(componentsToOutput, detectorProcessingResult.ContainersDetailsMap);
+            var originalCount = mergedComponents.Count;
+            componentsToOutput = this.FilterOutBaseImageComponents(componentsToOutput, detectorProcessingResult.ContainersDetailsMap);
+            var filteredCount = originalCount - componentsToOutput.Count;
+
+            if (filteredCount > 0)
+            {
+                this.logger.LogInformation("Filtered out {FilteredCount} of {TotalCount} components that originate exclusively from base image layers. {RetainedCount} components remain.", filteredCount, originalCount, componentsToOutput.Count);
+            }
+            else
+            {
+                this.logger.LogInformation("Base image component filtering is enabled but no components were filtered out ({TotalCount} total).", originalCount);
+            }
+
             PruneFilteredComponentsFromGraphs(dependencyGraphs, componentsToOutput);
             PruneFilteredComponentReferrers(componentsToOutput);
         }
@@ -67,7 +79,7 @@ public ScanResult GenerateScanResultFromProcessingResult(
     /// <param name="components">The list of detected components to filter.</param>
     /// <param name="containerDetailsMap">The map of container details with layer information.</param>
     /// <returns>A filtered list of components excluding those exclusively from base image layers.</returns>
-    internal static List<DetectedComponent> FilterOutBaseImageComponents(
+    internal List<DetectedComponent> FilterOutBaseImageComponents(
         List<DetectedComponent> components,
         Dictionary<int, ContainerDetails> containerDetailsMap)
     {
@@ -86,7 +98,20 @@ internal static List<DetectedComponent> FilterOutBaseImageComponents(
             }
         }
 
-        return components.Where(component => !IsExclusivelyFromBaseImage(component, layerLookup)).ToList();
+        var retained = new List<DetectedComponent>();
+        foreach (var component in components)
+        {
+            if (IsExclusivelyFromBaseImage(component, layerLookup))
+            {
+                this.logger.LogDebug("Filtering out component {ComponentId} because all associated layers are from the base image.", component.Component.Id);
+            }
+            else
+            {
+                retained.Add(component);
+            }
+        }
+
+        return retained;
     }
 
     private static bool IsExclusivelyFromBaseImage(DetectedComponent component, Dictionary<int, Dictionary<int, DockerLayer>> layerLookup)
diff --git a/test/Microsoft.ComponentDetection.Detectors.Tests/LinuxScannerTests.cs b/test/Microsoft.ComponentDetection.Detectors.Tests/LinuxScannerTests.cs
@@ -96,6 +96,10 @@ public class LinuxScannerTests
                     "version":"1.0.0",
                     "type":"deb",
                     "locations": [
+                        {
+                            "path": "/usr/bin/test",
+                            "layerID": "sha256:f95fc50d21d981f1efe1f04109c2c3287c271794f5d9e4fdf9888851a174a971"
+                        },
                         {
                             "path": "/var/lib/dpkg/status",
                             "layerID": "sha256:f95fc50d21d981f1efe1f04109c2c3287c271794f5d9e4fdf9888851a174a971"
@@ -1466,4 +1470,186 @@ public async Task TestLinuxScanner_CancelledCaller_DoesNotBlockOnInFlightSyftRun
         var result1 = await task1;
         result1.Should().NotBeEmpty();
     }
+
+    [TestMethod]
+    public void TestLinuxScanner_ProcessSyftOutput_ExcludesPackageManagerDatabasePathsFromLayerAttribution()
+    {
+        // Simulates a scenario where a package (curl) is installed in layer1,
+        // but the dpkg status file is also modified in layer2 by a different package install.
+        // curl should only be attributed to layer1.
+        var syftOutputJson = """
+            {
+                "distro": { "id": "ubuntu", "versionID": "22.04" },
+                "artifacts": [
+                    {
+                        "name": "curl",
+                        "version": "7.81.0",
+                        "type": "deb",
+                        "locations": [
+                            {
+                                "path": "/usr/bin/curl",
+                                "layerID": "sha256:layer1"
+                            },
+                            {
+                                "path": "/var/lib/dpkg/status",
+                                "layerID": "sha256:layer2"
+                            }
+                        ]
+                    }
+                ],
+                "source": {
+                    "id": "sha256:abc",
+                    "name": "test-image",
+                    "type": "image",
+                    "version": "sha256:abc"
+                }
+            }
+            """;
+        var syftOutput = SyftOutput.FromJson(syftOutputJson);
+        var containerLayers = new List<DockerLayer>
+        {
+            new() { DiffId = "sha256:layer1", LayerIndex = 0, IsBaseImage = true },
+            new() { DiffId = "sha256:layer2", LayerIndex = 1, IsBaseImage = false },
+        };
+        var enabledTypes = new HashSet<ComponentType> { ComponentType.Linux };
+
+        var result = this.linuxScanner.ProcessSyftOutput(syftOutput, containerLayers, enabledTypes).ToList();
+
+        // curl should only appear in layer1, not layer2
+        var layer1Entry = result.FirstOrDefault(r => r.DockerLayer.DiffId == "sha256:layer1");
+        var layer2Entry = result.FirstOrDefault(r => r.DockerLayer.DiffId == "sha256:layer2");
+
+        layer1Entry.Should().NotBeNull();
+        layer1Entry.Components.Should().ContainSingle();
+        ((LinuxComponent)layer1Entry.Components.First()).Name.Should().Be("curl");
+
+        // layer2 should have no components (or not exist in results)
+        layer2Entry?.Components.Should().BeEmpty();
+    }
+
+    [TestMethod]
+    public void TestLinuxScanner_ProcessSyftOutput_PackageWithOnlyDatabasePath_FallsBackToDatabaseLayer()
+    {
+        // If a package only has the database path as its location (no real file paths
+        // and no metadata files), the database path layer is used as a fallback.
+        var syftOutputJson = """
+            {
+                "distro": { "id": "alpine", "versionID": "3.18" },
+                "artifacts": [
+                    {
+                        "name": "musl",
+                        "version": "1.2.4",
+                        "type": "apk",
+                        "locations": [
+                            {
+                                "path": "/lib/apk/db/installed",
+                                "layerID": "sha256:layer1"
+                            }
+                        ]
+                    }
+                ],
+                "source": {
+                    "id": "sha256:abc",
+                    "name": "test-image",
+                    "type": "image",
+                    "version": "sha256:abc"
+                }
+            }
+            """;
+        var syftOutput = SyftOutput.FromJson(syftOutputJson);
+        var containerLayers = new List<DockerLayer>
+        {
+            new() { DiffId = "sha256:layer1", LayerIndex = 0, IsBaseImage = true },
+        };
+        var enabledTypes = new HashSet<ComponentType> { ComponentType.Linux };
+
+        var result = this.linuxScanner.ProcessSyftOutput(syftOutput, containerLayers, enabledTypes).ToList();
+
+        // The component should fall back to the database path's layer
+        var layer1Entry = result.FirstOrDefault(r => r.DockerLayer.DiffId == "sha256:layer1");
+        layer1Entry.Should().NotBeNull();
+        layer1Entry.Components.Should().ContainSingle();
+        ((LinuxComponent)layer1Entry.Components.First()).Name.Should().Be("musl");
+    }
+
+    [TestMethod]
+    public void TestLinuxScanner_ProcessSyftOutput_UsesMetadataFilesForLayerAttribution()
+    {
+        // Simulates a scenario where a package (curl) only has the package DB in its
+        // artifact locations, but has owned files in metadata.files. The top-level files[]
+        // listing provides the layer mapping for those owned files. The component should
+        // be attributed to the layer of its owned files, not the DB layer.
+        var syftOutputJson = """
+            {
+                "distro": { "id": "mariner", "versionID": "3.0" },
+                "artifacts": [
+                    {
+                        "name": "curl",
+                        "version": "8.11.1",
+                        "type": "rpm",
+                        "locations": [
+                            {
+                                "path": "/var/lib/rpm/rpmdb.sqlite",
+                                "layerID": "sha256:layer2"
+                            }
+                        ],
+                        "metadata": {
+                            "files": [
+                                { "path": "/usr/bin/curl" },
+                                { "path": "/usr/lib/libcurl.so" }
+                            ]
+                        }
+                    }
+                ],
+                "files": [
+                    {
+                        "id": "file1",
+                        "location": {
+                            "path": "/usr/bin/curl",
+                            "layerID": "sha256:layer1"
+                        }
+                    },
+                    {
+                        "id": "file2",
+                        "location": {
+                            "path": "/usr/lib/libcurl.so",
+                            "layerID": "sha256:layer1"
+                        }
+                    },
+                    {
+                        "id": "file3",
+                        "location": {
+                            "path": "/var/lib/rpm/rpmdb.sqlite",
+                            "layerID": "sha256:layer2"
+                        }
+                    }
+                ],
+                "source": {
+                    "id": "sha256:abc",
+                    "name": "test-image",
+                    "type": "image",
+                    "version": "sha256:abc"
+                }
+            }
+            """;
+        var syftOutput = SyftOutput.FromJson(syftOutputJson);
+        var containerLayers = new List<DockerLayer>
+        {
+            new() { DiffId = "sha256:layer1", LayerIndex = 0, IsBaseImage = true },
+            new() { DiffId = "sha256:layer2", LayerIndex = 1, IsBaseImage = false },
+        };
+        var enabledTypes = new HashSet<ComponentType> { ComponentType.Linux };
+
+        var result = this.linuxScanner.ProcessSyftOutput(syftOutput, containerLayers, enabledTypes).ToList();
+
+        // curl should be attributed to layer1 (where its real files are), not layer2 (DB layer)
+        var layer1Entry = result.FirstOrDefault(r => r.DockerLayer.DiffId == "sha256:layer1");
+        var layer2Entry = result.FirstOrDefault(r => r.DockerLayer.DiffId == "sha256:layer2");
+
+        layer1Entry.Should().NotBeNull();
+        layer1Entry.Components.Should().ContainSingle();
+        ((LinuxComponent)layer1Entry.Components.First()).Name.Should().Be("curl");
+
+        layer2Entry?.Components.Should().BeEmpty();
+    }
 }
