8000 sbom cataloger returning upstream package · Issue #3662 · anchore/syft · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

sbom cataloger returning upstream package #3662

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jonathongardner opened this issue Feb 13, 2025 · 1 comment · May be fixed by #3849
Open

sbom cataloger returning upstream package #3662

jonathongardner opened this issue Feb 13, 2025 · 1 comment · May be fixed by #3849
Labels
bug Something isn't working

Comments

@jonathongardner
Copy link

What happened:
When scanning docker:cgr.dev/chainguard/curl:latest with the sbom cataloger we are seeing the upstream package from an SBOM showing up "flat" in the SBOM. For example curl 8.12.0 and 8.12.0-r1 are both in the SPDX SBOM with 8.12.0-r1 being "Generated_from" 8.12.0.

What you expected to happen:
I would expect the "Generated_from" pacakge (8.12.0) to no be in the returned b/c the SPDX/SBOM isn't saying its in the image but that its generated from the package.

Another option (maybe better id) would be to preserve that relationship and show it in the results so its clear that 8.12.0 isnt in the SBOM but that 8.12.0-r1 was generated from it.

Steps to reproduce the issue:
config.yaml

output: "json"
quiet: true
check-for-app-update: false
default-catalogers:
  - sbom-cataloger
  - apk-db-cataloger

syft -c config.yaml scan docker:cgr.dev/chainguard/curl:latest

Environment:

$ syft version
Application: syft
Version:    1.19.0
BuildDate:  2025-01-22T19:57:08Z
GitCommit:  222e6548a96f8c80015c1d24f01dea3052a04893
GitDescription: v1.19.0
Platform:   linux/amd64
GoVersion:  go1.23.4
Compiler:   gc
@jonathongardner jonathongardner added the bug Something isn't working label Feb 13, 2025
@ciscochaig
Copy link

One other weird situation in the Wolfi spdx files - it leads to discovery of many components that are named *.yaml, for example:
git.yaml version d5b8192e47958e7c3f8173ef26701ae84a796f50

Not sure what is going on here as git with the correct version of 2.48.1-r1 is also discovered.

@wagoodman wagoodman moved this to Ready in OSS Mar 20, 2025
@VictorHuu VictorHuu linked a pull request May 4, 2025 that will close this issue
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
OSS
Status: Ready
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: indicate upstream packages for sbom cataloger VictorHuu/syft
2 participants
@jonathongardner @ciscochaig
0