Nexus search collector downloaded wrong RPM package for CUDA driver
Description
When trying to download the NVIDIA CUDA RPM packages with Hoppr, some of the RPM packages were pulled from a RHEL7 repo when they should have been pulled from a RHEL8 repo using the Nexus Search Collector.
What did you expect to happen?
Nexus Search Collector plugin should collect the NVIDIA CUDA package from the RHEL8 repository.
What happened instead?
Only the RHEL7 CUDA package was downloaded.
Additional details (purl types in sboms, example manifest, and transfers.yml):
These CUDA packages are coming from a private Nexus repository which requires credentials to access
PURL
{
"type": "library",
"bom-ref": "pkg:rpm/cuda-drivers@530.30.02-1?arch=x86_64&epoch=0&upstream=cuda-drivers-530.30.02-1.src.rpm",
"name": "cuda-drivers",
"version": "0:530.30.02-1",
"scope": "required",
"hashes": [],
"licenses": [
{
"license": {
"name": "NVIDIA Proprietary"
}
}
],
"cpe": "cpe:2.3:a:cuda-drivers:cuda-drivers:0\\:530.30.02-1:*:*:*:*:*:*:*",
"purl": "pkg:rpm/cuda-drivers@530.30.02-1?arch=x86_64&epoch=0&upstream=cuda-drivers-530.30.02-1.src.rpm",
"externalReferences": [],
"components": [],
"properties": [
{
"name": "syft:package:foundBy",
"value": "rpm-file-cataloger"
},
{
"name": "syft:package:metadataType",
"value": "RpmMetadata"
},
{
"name": "syft:package:type",
"value": "rpm"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:cuda-drivers:cuda_drivers:0\\:530.30.02-1:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:cuda_drivers:cuda-drivers:0\\:530.30.02-1:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:cuda_drivers:cuda_drivers:0\\:530.30.02-1:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:cuda:cuda-drivers:0\\:530.30.02-1:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:cuda:cuda_drivers:0\\:530.30.02-1:*:*:*:*:*:*:*"
},
{
"name": "syft:location:0:path",
"value": "/var/cache/dnf/
ws-nvidia-cuda-proxy-ce5522407df7433a/packages/cuda-drivers-530.30.02-1.x86_64.rpm"
},
{
"name": "syft:metadata:epoch",
"value": "0"
},
{
"name": "syft:metadata:release",
"value": "1"
},
{
"name": "syft:metadata:size",
"value": "0"
},
{
"name": "syft:metadata:sourceRpm",
"value": "cuda-drivers-530.30.02-1.src.rpm"
}
]
},
Root cause
Using the Nexus Search Collector plugin, when multiple packages with the same name are found in different repositories in the Nexus instance, Hoppr will identify the packages, but will only download the first package.
In this case, the cuda-drivers@530.30.02-1 package exists in both rhel7 and rhel8 repositories. Only the rhel7 version was downloaded to our bundle.