feat(alpine): add maintainer field extraction for APK packages (#8930)

knqyf263 · web-flow · commit 104bbc18ea85 · 2025-05-29T10:47:33.000Z
Signed-off-by: knqyf263 &lt;knqyf263@gmail.com&gt;
diff --git a/integration/testdata/alpine-39-high-critical.json.golden b/integration/testdata/alpine-39-high-critical.json.golden
@@ -68,7 +68,7 @@
           "PkgName": "musl",
           "PkgIdentifier": {
             "PURL": "pkg:apk/alpine/musl@1.1.20-r4?arch=x86_64\u0026distro=3.9.4",
-            "UID": "d6abd271e71d3ce2"
+            "UID": "aae058383ba5a25e"
           },
           "InstalledVersion": "1.1.20-r4",
           "FixedVersion": "1.1.20-r5",
@@ -114,7 +114,7 @@
           "PkgName": "musl-utils",
           "PkgIdentifier": {
             "PURL": "pkg:apk/alpine/musl-utils@1.1.20-r4?arch=x86_64\u0026distro=3.9.4",
-            "UID": "a35dd6cab4aabdf1"
+            "UID": "4089d29c2d05b72d"
           },
           "InstalledVersion": "1.1.20-r4",
           "FixedVersion": "1.1.20-r5",
diff --git a/integration/testdata/alpine-39.json.golden b/integration/testdata/alpine-39.json.golden
@@ -380,7 +380,7 @@
           "PkgName": "musl",
           "PkgIdentifier": {
             "PURL": "pkg:apk/alpine/musl@1.1.20-r4?arch=x86_64\u0026distro=3.9.4",
-            "UID": "d6abd271e71d3ce2"
+            "UID": "aae058383ba5a25e"
           },
           "InstalledVersion": "1.1.20-r4",
           "FixedVersion": "1.1.20-r5",
@@ -426,7 +426,7 @@
           "PkgName": "musl-utils",
           "PkgIdentifier": {
             "PURL": "pkg:apk/alpine/musl-utils@1.1.20-r4?arch=x86_64\u0026distro=3.9.4",
-            "UID": "a35dd6cab4aabdf1"
+            "UID": "4089d29c2d05b72d"
           },
           "InstalledVersion": "1.1.20-r4",
           "FixedVersion": "1.1.20-r5",
diff --git a/pkg/fanal/analyzer/analyzer_test.go b/pkg/fanal/analyzer/analyzer_test.go
@@ -342,6 +342,7 @@ func TestAnalyzerGroup_AnalyzeFile(t *testing.T) {
 								SrcName:    "musl",
 								SrcVersion: "1.1.24-r2",
 								Licenses:   []string{"MIT"},
+								Maintainer: "Timo Teräs <timo.teras@iki.fi>",
 								Arch:       "x86_64",
 								Digest:     "sha1:cb2316a189ebee5282c4a9bd98794cc2477a74c6",
 								InstalledFiles: []string{
diff --git a/pkg/fanal/analyzer/pkg/apk/apk.go b/pkg/fanal/analyzer/pkg/apk/apk.go
@@ -108,6 +108,8 @@ func (a alpinePkgAnalyzer) parseApkInfo(ctx context.Context, scanner *bufio.Scan
 			if d != "" {
 				pkg.Digest = d
 			}
+		case "m:":
+			pkg.Maintainer = line[2:]
 		}
 
 		if pkg.Name != "" && pkg.Version != "" {
diff --git a/pkg/fanal/analyzer/pkg/apk/apk_test.go b/pkg/fanal/analyzer/pkg/apk/apk_test.go
@@ -19,6 +19,7 @@ var pkgs = []types.Package{
 		SrcName:    "musl",
 		SrcVersion: "1.1.14-r10",
 		Licenses:   []string{"MIT"},
+		Maintainer: "Timo Teräs <timo.teras@iki.fi>",
 		Arch:       "x86_64",
 		Digest:     "sha1:d68b402f35f57750f49156b0cb4e886a2ad35d2d",
 		InstalledFiles: []string{
@@ -33,6 +34,7 @@ var pkgs = []types.Package{
 		SrcName:    "busybox",
 		SrcVersion: "1.24.2-r9",
 		Licenses:   []string{"GPL-2.0-only"},
+		Maintainer: "Natanael Copa <ncopa@alpinelinux.org>",
 		DependsOn:  []string{"musl@1.1.14-r10"},
 		Arch:       "x86_64",
 		Digest:     "sha1:ca124719267cd0bedc2f4cb850a286ac13f0ad44",
@@ -51,6 +53,7 @@ var pkgs = []types.Package{
 		SrcName:    "alpine-baselayout",
 		SrcVersion: "3.0.3-r0",
 		Licenses:   []string{"GPL-2.0-only"},
+		Maintainer: "Natanael Copa <ncopa@alpinelinux.org>",
 		DependsOn: []string{
 			"busybox@1.24.2-r9",
 			"musl@1.1.14-r10",
@@ -92,6 +95,7 @@ var pkgs = []types.Package{
 		SrcName:    "alpine-keys",
 		SrcVersion: "1.1-r0",
 		Licenses:   []string{"GPL-2.0-or-later"},
+		Maintainer: "Natanael Copa <ncopa@alpinelinux.org>",
 		Arch:       "x86_64",
 		Digest:     "sha1:4def7ffaee6aeba700c1d62570326f75cbb8fa25",
 		InstalledFiles: []string{
@@ -109,6 +113,7 @@ var pkgs = []types.Package{
 		SrcName:    "zlib",
 		SrcVersion: "1.2.8-r2",
 		Licenses:   []string{"Zlib"},
+		Maintainer: "Natanael Copa <ncopa@alpinelinux.org>",
 		DependsOn:  []string{"musl@1.1.14-r10"},
 		Arch:       "x86_64",
 		Digest:     "sha1:efd04d34d40aa8eb331480127364c27a8ba760ef",
@@ -124,6 +129,7 @@ var pkgs = []types.Package{
 		SrcName:    "openssl",
 		SrcVersion: "1.0.2h-r1",
 		Licenses:   []string{"OpenSSL"},
+		Maintainer: "Timo Teras <timo.teras@iki.fi>",
 		DependsOn: []string{
 			"musl@1.1.14-r10",
 			"zlib@1.2.8-r2",
@@ -155,6 +161,7 @@ var pkgs = []types.Package{
 		SrcName:    "openssl",
 		SrcVersion: "1.0.2h-r1",
 		Licenses:   []string{"OpenSSL"},
+		Maintainer: "Timo Teras <timo.teras@iki.fi>",
 		Digest:     "sha1:7120f337e93b2b4c44e0f5f31a15b60dc678ca14",
 		DependsOn: []string{
 			"libcrypto1.0@1.0.2h-r1",
@@ -173,6 +180,7 @@ var pkgs = []types.Package{
 		SrcName:    "apk-tools",
 		SrcVersion: "2.6.7-r0",
 		Licenses:   []string{"GPL-2.0-only"},
+		Maintainer: "Natanael Copa <ncopa@alpinelinux.org>",
 		Digest:     "sha1:0990c0acd62b4175818c3a4cc60ed11f14e23bd8",
 		DependsOn: []string{
 			"libcrypto1.0@1.0.2h-r1",
@@ -192,6 +200,7 @@ var pkgs = []types.Package{
 		SrcName:    "pax-utils",
 		SrcVersion: "1.1.6-r0",
 		Licenses:   []string{"GPL-2.0-only"},
+		Maintainer: "Natanael Copa <ncopa@alpinelinux.org>",
 		Digest:     "sha1:f9bab817c5ad93e92a6218bc0f7596b657c02d90",
 		DependsOn:  []string{"musl@1.1.14-r10"},
 		Arch:       "x86_64",
@@ -210,7 +219,8 @@ var pkgs = []types.Package{
 			"BSD-3-Clause",
 			"GPL-2.0-or-later",
 		},
-		Digest: "sha1:608aa1dd39eff7bc6615d3e5e33383750f8f5ecc",
+		Maintainer: "Timo Teräs <timo.teras@iki.fi>",
+		Digest:     "sha1:608aa1dd39eff7bc6615d3e5e33383750f8f5ecc",
 		DependsOn: []string{
 			"musl@1.1.14-r10",
 			"scanelf@1.1.6-r0",
@@ -231,6 +241,7 @@ var pkgs = []types.Package{
 		SrcName:    "libc-dev",
 		SrcVersion: "0.7-r0",
 		Licenses:   []string{"GPL-2.0-or-later"},
+		Maintainer: "Natanael Copa <ncopa@alpinelinux.org>",
 		Digest:     "sha1:9055bc7afd76cf2672198042f72fc4a5ed4fa961",
 		DependsOn:  []string{"musl-utils@1.1.14-r10"},
 		Arch:       "x86_64",
@@ -243,6 +254,7 @@ var pkgs = []types.Package{
 		SrcName:    "pkgconf",
 		SrcVersion: "1.6.0-r0",
 		Licenses:   []string{"ISC"},
+		Maintainer: "William Pitcock <nenolod@dereferenced.org>",
 		Digest:     "sha1:e6242ac29589c8a84a4b179b491ea7c29fce66a9",
 		DependsOn:  []string{"musl@1.1.14-r10"},
 		Arch:       "x86_64",
@@ -261,6 +273,7 @@ var pkgs = []types.Package{
 		SrcName:    "sqlite",
 		SrcVersion: "3.26.0-r3",
 		Licenses:   []string{"Public-Domain"},
+		Maintainer: "Carlo Landmeter <clandmeter@gmail.com>",
 		Digest:     "sha1:1464946c3a5f0dd5a67ca1af930fc17af7a74474",
 		DependsOn:  []string{"musl@1.1.14-r10"},
 		Arch:       "x86_64",
@@ -276,6 +289,7 @@ var pkgs = []types.Package{
 		SrcName:    "test-parent",
 		SrcVersion: "2.9.11_pre20061021-r2",
 		Licenses:   []string{"Public-Domain"},
+		Maintainer: "Carlo Landmeter <clandmeter@gmail.com>",
 		Digest:     "sha1:f0bf315ec54828188910e4a665c00bc48bdbdd7d",
 		DependsOn: []string{
 			"pkgconf@1.6.0-r0",
@@ -300,7 +314,8 @@ var pkgs = []types.Package{
 			"MIT",
 			"MPL-2.0",
 		},
-		Digest: "sha1:593154f80c440685448e0f52479725d7bc9b678d",
+		Maintainer: "Jakub Jirutka <jakub@jirutka.cz>",
+		Digest:     "sha1:593154f80c440685448e0f52479725d7bc9b678d",
 		DependsOn: []string{
 			"musl@1.1.14-r10",
 		},
diff --git a/pkg/fanal/artifact/image/image_test.go b/pkg/fanal/artifact/image/image_test.go
@@ -50,6 +50,7 @@ func TestArtifact_Inspect(t *testing.T) {
 			SrcName:    "alpine-baselayout",
 			SrcVersion: "3.2.0-r3",
 			Licenses:   []string{"GPL-2.0-only"},
+			Maintainer: "Natanael Copa <ncopa@alpinelinux.org>",
 			Digest:     "sha1:8f373f5b329c3aaf136eb30c63a387661ee0f3d0",
 			DependsOn: []string{
 				"busybox@1.31.1-r9",
@@ -93,6 +94,7 @@ func TestArtifact_Inspect(t *testing.T) {
 			SrcName:    "alpine-keys",
 			SrcVersion: "2.1-r2",
 			Licenses:   []string{"MIT"},
+			Maintainer: "Natanael Copa <ncopa@alpinelinux.org>",
 			Arch:       "x86_64",
 			Digest:     "sha1:64929f85b7f8b4adbb664d905410312936b79d9b",
 			InstalledFiles: []string{
@@ -123,6 +125,7 @@ func TestArtifact_Inspect(t *testing.T) {
 			SrcName:    "apk-tools",
 			SrcVersion: "2.10.4-r3",
 			Licenses:   []string{"GPL-2.0-only"},
+			Maintainer: "Natanael Copa <ncopa@alpinelinux.org>",
 			Digest:     "sha1:b15ad0c90e4493dfdc948d6b90a8e020da8936ef",
 			DependsOn: []string{
 				"libcrypto1.1@1.1.1d-r3",
@@ -142,6 +145,7 @@ func TestArtifact_Inspect(t *testing.T) {
 			SrcName:    "busybox",
 			SrcVersion: "1.31.1-r9",
 			Licenses:   []string{"GPL-2.0-only"},
+			Maintainer: "Natanael Copa <ncopa@alpinelinux.org>",
 			Digest:     "sha1:a457703d71654811ea28d8d27a5cfc49ece27b34",
 			DependsOn: []string{
 				"musl@1.1.24-r2",
@@ -167,8 +171,9 @@ func TestArtifact_Inspect(t *testing.T) {
 				"MPL-2.0",
 				"GPL-2.0-or-later",
 			},
-			Arch:   "x86_64",
-			Digest: "sha1:3aeb8a90d7179d2a187782e980a964494e08c5fb",
+			Maintainer: "Natanael Copa <ncopa@alpinelinux.org>",
+			Arch:       "x86_64",
+			Digest:     "sha1:3aeb8a90d7179d2a187782e980a964494e08c5fb",
 			InstalledFiles: []string{
 				"etc/ssl/cert.pem",
 			},
@@ -180,6 +185,7 @@ func TestArtifact_Inspect(t *testing.T) {
 			SrcName:    "libc-dev",
 			SrcVersion: "0.7.2-r0",
 			Licenses:   []string{"BSD-3-Clause"},
+			Maintainer: "Natanael Copa <ncopa@alpinelinux.org>",
 			Digest:     "sha1:a7bf32bd32c6d3de2d1c4d7e753a0919b998cd01",
 			DependsOn: []string{
 				"musl-utils@1.1.24-r2",
@@ -193,6 +199,7 @@ func TestArtifact_Inspect(t *testing.T) {
 			SrcName:    "openssl",
 			SrcVersion: "1.1.1d-r3",
 			Licenses:   []string{"OpenSSL"},
+			Maintainer: "Timo Teras <timo.teras@iki.fi>",
 			Digest:     "sha1:dd8fb9a3cce7b2bcf954271da62fb85dac2b106a",
 			DependsOn: []string{
 				"musl@1.1.24-r2",
@@ -220,6 +227,7 @@ func TestArtifact_Inspect(t *testing.T) {
 			SrcName:    "openssl",
 			SrcVersion: "1.1.1d-r3",
 			Licenses:   []string{"OpenSSL"},
+			Maintainer: "Timo Teras <timo.teras@iki.fi>",
 			Digest:     "sha1:938d46e41b3e56b339a3aeb2d02fad3d75728f35",
 			DependsOn: []string{
 				"libcrypto1.1@1.1.1d-r3",
@@ -258,6 +266,7 @@ func TestArtifact_Inspect(t *testing.T) {
 			SrcName:    "musl",
 			SrcVersion: "1.1.24-r2",
 			Licenses:   []string{"MIT"},
+			Maintainer: "Timo Teräs <timo.teras@iki.fi>",
 			Arch:       "x86_64",
 			Digest:     "sha1:cb2316a189ebee5282c4a9bd98794cc2477a74c6",
 			InstalledFiles: []string{
@@ -276,7 +285,8 @@ func TestArtifact_Inspect(t *testing.T) {
 				"BSD-3-Clause",
 				"GPL-2.0-or-later",
 			},
-			Digest: "sha1:6d3b45e79dbab444ca7cbfa59e2833203be6fb6a",
+			Maintainer: "Timo Teräs <timo.teras@iki.fi>",
+			Digest:     "sha1:6d3b45e79dbab444ca7cbfa59e2833203be6fb6a",
 			DependsOn: []string{
 				"musl@1.1.24-r2",
 				"scanelf@1.2.4-r0",
@@ -297,6 +307,7 @@ func TestArtifact_Inspect(t *testing.T) {
 			SrcName:    "pax-utils",
 			SrcVersion: "1.2.4-r0",
 			Licenses:   []string{"GPL-2.0-only"},
+			Maintainer: "Natanael Copa <ncopa@alpinelinux.org>",
 			Digest:     "sha1:d6147beb32bff803b5d9f83a3bec7ab319087185",
 			DependsOn: []string{
 				"musl@1.1.24-r2",
@@ -313,6 +324,7 @@ func TestArtifact_Inspect(t *testing.T) {
 			SrcName:    "busybox",
 			SrcVersion: "1.31.1-r9",
 			Licenses:   []string{"GPL-2.0-only"},
+			Maintainer: "Natanael Copa <ncopa@alpinelinux.org>",
 			Digest:     "sha1:3b685152af320120ae8941c740d3376b54e43c10",
 			DependsOn: []string{
 				"libtls-standalone@2.9.1-r0",
@@ -330,6 +342,7 @@ func TestArtifact_Inspect(t *testing.T) {
 			SrcName:    "zlib",
 			SrcVersion: "1.2.11-r3",
 			Licenses:   []string{"Zlib"},
+			Maintainer: "Natanael Copa <ncopa@alpinelinux.org>",
 			Digest:     "sha1:acca078ee8baa93e005f57b2fae359c1efd443cd",
 			DependsOn: []string{
 				"musl@1.1.24-r2",
diff --git a/pkg/fanal/artifact/local/fs_test.go b/pkg/fanal/artifact/local/fs_test.go
@@ -66,6 +66,7 @@ func TestArtifact_Inspect(t *testing.T) {
 										SrcName:    "musl",
 										SrcVersion: "1.1.24-r2",
 										Licenses:   []string{"MIT"},
+										Maintainer: "Timo Teräs <timo.teras@iki.fi>",
 										Arch:       "x86_64",
 										Digest:     "sha1:cb2316a189ebee5282c4a9bd98794cc2477a74c6",
 										InstalledFiles: []string{
diff --git a/pkg/fanal/artifact/vm/vm_test.go b/pkg/fanal/artifact/vm/vm_test.go
@@ -118,16 +118,16 @@ func TestArtifact_Inspect(t *testing.T) {
 			rootDir: "testdata/alpine",
 			wantBlobs: []cachetest.WantBlob{
 				{
-					ID:       "sha256:fecb09f4a7f0382a4feb2fb086ed5e37eaab644fef7b8f87c550a6e94a7f780f",
+					ID:       "sha256:9ca6dbba47cea74d3f9b0bf0472314735d06f42d3ccf8cfe7c021f61a3420973",
 					BlobInfo: expectedBlobInfo,
 				},
 			},
 			want: artifact.Reference{
 				Name: "rawdata.img",
 				Type: types.TypeVM,
-				ID:   "sha256:fecb09f4a7f0382a4feb2fb086ed5e37eaab644fef7b8f87c550a6e94a7f780f",
+				ID:   "sha256:9ca6dbba47cea74d3f9b0bf0472314735d06f42d3ccf8cfe7c021f61a3420973",
 				BlobIDs: []string{
-					"sha256:fecb09f4a7f0382a4feb2fb086ed5e37eaab644fef7b8f87c550a6e94a7f780f",
+					"sha256:9ca6dbba47cea74d3f9b0bf0472314735d06f42d3ccf8cfe7c021f61a3420973",
 				},
 			},
 		},
@@ -202,6 +202,7 @@ var expectedBlobInfo = types.BlobInfo{
 					SrcName:    "musl",
 					SrcVersion: "1.2.3-r5",
 					Licenses:   []string{"MIT"},
+					Maintainer: "Timo Teräs <timo.teras@iki.fi>",
 					Arch:       "aarch64",
 					Digest:     "sha1:742b0a26f327c6da60d42a02c3eb6189a58e468f",
 					InstalledFiles: []string{
diff --git a/pkg/fanal/test/integration/testdata/goldens/packages/alpine-310.json.golden b/pkg/fanal/test/integration/testdata/goldens/packages/alpine-310.json.golden
diff --git a/pkg/fanal/test/integration/testdata/goldens/packages/vulnimage.json.golden b/pkg/fanal/test/integration/testdata/goldens/packages/vulnimage.json.golden
diff --git a/pkg/scan/service_test.go b/pkg/scan/service_test.go

Original file line number	Diff line number	Diff line change
`@@ -108,6 +108,8 @@ func (a alpinePkgAnalyzer) parseApkInfo(ctx context.Context, scanner *bufio.Scan`
`108`	`108`	`if d != "" {`
`109`	`109`	`pkg.Digest = d`
`110`	`110`	`}`
	`111`	`+ case "m:":`
	`112`	`+ pkg.Maintainer = line[2:]`
`111`	`113`	`}`
`112`	`114`
`113`	`115`	`if pkg.Name != "" && pkg.Version != "" {`