You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+44-1Lines changed: 44 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -168,5 +168,48 @@ It can also be run with `--check` to see the graph and sbom counts without actua
168
168
It's possible to map CPEs to products using product metadata as demonstrated in the `docs/product-definitions.json`
169
169
file. This allows integration with a bug tracking system like Jira.
170
170
171
-
The way this mapping works is to match against a ps_update_steam if such a map exists. If not, we try to match
171
+
The way this mapping works is to match against a ps_update_stream if such a map exists. If not, we try to match
172
172
against ps_modules.
173
+
174
+
#### RHEL Release Graph Mapping
175
+
176
+
For RHEL product streams (RHEL 9 and earlier), TrustShell uses an enhanced mapping mechanism that leverages the
177
+
RHEL release graph data from the `rhel-release-graph` repository. This feature addresses a specific issue with
178
+
how packages are distributed in RHEL minor releases.
179
+
180
+
**Why this feature is needed:**
181
+
182
+
SBOM data returned by Trustify already contain CPEs with minor versions (e.g., `cpe:/a:redhat:enterprise_linux:9.6::appstream`).
183
+
However, for RHEL 9 and earlier versions, packages are not re-released when a new minor version is created. Instead,
184
+
all packages are pushed into a DNF repository. This means that if a package was only released at the beginning of a RHEL stream (e.g., when RHEL 9 was at version 9.0), and subsequent releases occurred for 9.1, 9.2, etc., that package would not be visible to those later minor release streams when using direct CPE matching.
185
+
186
+
The RHEL release graph mapping solves this by:
187
+
1. Using the release hierarchy from the `rhel-release-graph` repository to understand parent-child relationships
188
+
between RHEL releases
189
+
2. When a CPE matches a parent release node, automatically associating it with all descendant leaf nodes whose
190
+
CPEs are in active product streams
191
+
3. This ensures that packages released in earlier minor versions are correctly associated with later minor version
192
+
streams
193
+
194
+
**EUS (Extended Update Support) Streams:**
195
+
196
+
Another important justification for the RHEL release graph mapping is the handling of EUS streams. When an EUS stream
197
+
is created, it includes only packages that were previously released in the 'main' RHEL stream up to the EUS start date.
198
+
Any packages that are updated or newly released in the 'main' RHEL stream after the EUS start date should **not** be
199
+
included in the EUS stream.
200
+
201
+
The rhel-release-graph mapping, along with special handling and minor version CPEs, ensures that:
202
+
- EUS streams correctly inherit only packages from their parent release that existed before the EUS start date
203
+
- Packages released after the EUS start date in the main stream are properly excluded from EUS streams
204
+
- The release hierarchy accurately reflects the temporal relationships between main RHEL releases and their EUS variants
205
+
206
+
**RHEL 10 and later:**
207
+
208
+
This mapping feature is **not necessary** for RHEL 10 and later versions, as a separate CPE is created for each
209
+
minor release. The direct CPE matching works correctly for these versions.
210
+
211
+
**Configuration:**
212
+
213
+
The RHEL release graph data is automatically loaded from the GitLab repository specified by the `RHEL_RELEASE_GRAPH_URL`
214
+
environment variable (see the [Configuration](#configuration) section above). The system caches this data locally and
0 commit comments