Comments (1)
kzantow
commented on June 30, 2024
I can confirm there seems to be something unexpected happening here:
SYFT_FILE_METADATA_SELECTION=none syft alpine:latest -o json
It results in a files section with no metadata or any other information such as digests:
"files": [
{
"id": "a74cadfe8cda7a82",
"location": {
"path": "/bin/busybox",
"layerID": "sha256:02f2bcb26af5ea6d185dcf509dc795746d907ae10c53918b6944ac85447a0c72"
}
},
...
For what it's worth: I think it might make sense for this flag to prevent metadata from being captured, rather than preventing files from being captured, and perhaps we should think about introducing a new configuration for the entire file section to disable all file data collection, e.g.:
file:
# enable file cataloging
enabled: true
- or -
selection: ...
metadata:
# select which files should be captured by the file-metadata cataloger and included in the SBOM.
# Options include:
# - "all": capture all files from the search space
# - "owned-by-package": capture only files owned by packages
# - "none", "": do not capture any files (env: SYFT_FILE_METADATA_SELECTION)
selection: 'owned-by-package'
# the file digest algorithms to use when cataloging files (options: "md5", "sha1", "sha224", "sha256", "sha384", "sha512") (env: SYFT_FILE_METADATA_DIGESTS)
digests:
- 'sha1'
- 'sha256'
...from syft.
Related Issues (20)
- Very High Memory Usage Using Syft HOT 1
- Poetry's multiple constraints seems to break the parser
- Add ability to use distributed ruleset HOT 1
- Show dependencies for Github Actions
- Issue scanning Poetry Project with Syft 1.6 and cataloger=python-package-cataloger HOT 5
- The ability to extract the contents of the license file (LICENSE.txt) itself HOT 3
- Nondeterministic SBOM generation
- Include repository_url information in PURLs for non-default repository packages
- `License` field in Python package metadata could be name or full text HOT 2
- Python libraries licenses are not gathered HOT 2
- Add CycloneDX 1.6 Support HOT 3
- Add support for java "kar" files
- Syft reports the wrong version of the package (F/P findings on Grype result) HOT 1
- CycloneDX group field not symmetrically handled by encoder/decoders
- Syft tries to create the cache directory at a location that has no permission HOT 3
- linux-kernel-module cataloger doesn't extract version
- Use VirtualPath to build Dependencies section HOT 1
- No Supplier for each component within SBOM HOT 1
- Nix cataloger should use find by glob instead of iterating over all files
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from syft.